Bug 743481 (CVE-2011-3594)
Summary: | CVE-2011-3594 libpurple: invalid UTF-8 string handling in SILC messages | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | daniel_atallah, deryni, eblanton, fedora, itamar, jlieskov, jrb, lschiere+bugs, mark, mbarnes, stu |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pidgin 2.10.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-08-08 08:59:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 743483, 743796, 743797, 743798, 833968 | ||
Bug Blocks: | 743482 |
Description
Vincent Danen
2011-10-05 04:14:55 UTC
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 743483] *** Bug 742450 has been marked as a duplicate of this bug. *** The crash is caused by passing "user-controlled" non-UTF8 string to the g_markup_escape_text function. Lot of work has already been done by the original reporter at: http://developer.pidgin.im/ticket/14636 A non-utf8 string passed to g_markup_escape_text causes the same string to be passed along to append_escaped_text in gmarkup.c append_escaped_text is supposed to parse this text and uses g_utf8_next_char to read the entire input string (assuming that it is utf8 of-course). g_utf8_next_char returns invalid pointers which causes "while (p != end)" loop in append_escaped_text to never exit. This ultimately causes OOB read and eventual client crash. This crash can be easily reproduced by the following minimized code: $ cat esc.c #include <glib.h> void main() { gchar *first; first = g_markup_escape_text ("\x61\xf8",2); } $ gcc -g -o esc `pkg-config --cflags --libs glib-2.0` esc.c $ ./esc Segmentation fault (core dumped) $ gdb -q ./esc Reading symbols from /home/huzaifas/scratch/esc...done. (gdb) run Starting program: /home/huzaifas/scratch/esc [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106 2106 next = g_utf8_next_char (p); (gdb) bt #0 0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106 #1 g_markup_escape_text (text=<optimized out>, length=<optimized out>) at gmarkup.c:2182 #2 0x000000000040052b in main () at esc.c:6 (gdb) frame 0 #0 0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106 2106 next = g_utf8_next_char (p); (gdb) p p $1 = (const gchar *) 0x401000 <Address 0x401000 out of bounds> The version of pidgin shipped in Red Hat Enterprise Linux 6 explicitly disables support for SILC protocol and therefore is not affected. This issue affects the version of pidgin shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of pidgin shipped with Fedora 14 and 15. Statement: Not vulnerable. This issue did not affect the version of pidgin as shipped with Red Hat Enterprise Linux 6 as it explicitly disables support for the SILC protocol. This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1371 https://rhn.redhat.com/errata/RHSA-2011-1371.html pidgin-2.10.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. pidgin-2.10.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |