Bug 453764 (CVE-2008-2927)

Summary: CVE-2008-2927 pidgin MSN integer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kreilly, security-response-team, vdanen, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-09 07:14:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 453765, 453766, 453767, 453768, 453769, 833956    
Bug Blocks:    
Attachments:
Description Flags
Proposed upstream patch none

Description Josh Bressers 2008-07-02 13:14:49 UTC
An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code
execution.

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting.  The default setting is to only allow
messages from users in the buddy list.

Comment 1 Josh Bressers 2008-07-02 13:14:49 UTC
Created attachment 310788 [details]
Proposed upstream patch

Comment 3 Warren Togami 2008-07-02 14:37:24 UTC
#
#
# patch "libpurple/protocols/msnp9/slplink.c"
#  from [0148f31961bbe4a9a992377e70db082952505db4]
#    to [f65596ea173bf7c9c1114edd7599140f470e7788]
#
============================================================
--- libpurple/protocols/msnp9/slplink.c	0148f31961bbe4a9a992377e70db082952505db4
+++ libpurple/protocols/msnp9/slplink.c	f65596ea173bf7c9c1114edd7599140f470e7788
@@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl
 	}
 	else if (slpmsg->size)
 	{
-		if ((offset + len) > slpmsg->size)
+		if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
 		{
 			purple_debug_error("msn", "Oversized slpmsg\n");
 			g_return_if_reached();

For reference, this is the upstream patch that went into 2.4.3.  I need to
backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3.

Comment 4 Josh Bressers 2008-07-04 02:01:38 UTC
I'm making this bug public in order to avoid creating confusion.

Comment 5 Tomas Hoger 2008-08-27 19:50:04 UTC
Upstream advisory:
  http://www.pidgin.im/news/security/?id=25

Fixed upstream in: 2.4.3