Bug 743481 (CVE-2011-3594)

Summary: CVE-2011-3594 libpurple: invalid UTF-8 string handling in SILC messages
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: daniel_atallah, deryni, eblanton, fedora, itamar, jlieskov, jrb, lschiere+bugs, mark, mbarnes, stu
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pidgin 2.10.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-08 08:59:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 743483, 743796, 743797, 743798, 833968    
Bug Blocks: 743482    

Description Vincent Danen 2011-10-05 04:14:55 UTC 
A flaw was reported [1] in libpurple's SILC protocol plugin, and all software which uses SILC via libpurple.  The g_markup_escape_text() function, when called on strings that have not been verified as valid UTF-8, will read past the end of the string and eventually segfault for certain sequences in some versions of Glib2.  The behaviour of this function was undefined, and because it depends on the particular version of Glib2 in use, it is unknown what the complete ramifications of the flaw is, however it has been verified that an untrusted user could remotely crash a libpurple client via specially crafted SILC messages.

This flaw is believed to affect all versions of libpurple up to and including 2.10.0.  This has been corrected in the upstream git repository [2].


[1] http://developer.pidgin.im/ticket/14636
[2] http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8
Comment 2 Vincent Danen 2011-10-05 04:22:03 UTC 
Created pidgin tracking bugs for this issue

Affects: fedora-all [bug 743483]
Comment 5 Huzaifa S. Sidhpurwala 2011-10-05 05:08:35 UTC 
*** Bug 742450 has been marked as a duplicate of this bug. ***
Comment 7 Huzaifa S. Sidhpurwala 2011-10-05 05:56:14 UTC 
The crash is caused by passing "user-controlled" non-UTF8 string to the g_markup_escape_text function. 

Lot of work has already been done by the original reporter at:
http://developer.pidgin.im/ticket/14636

A non-utf8 string passed to g_markup_escape_text causes the same string to be passed along to append_escaped_text in gmarkup.c

append_escaped_text is supposed to parse this text and uses g_utf8_next_char to read the entire input string (assuming that it is utf8 of-course). g_utf8_next_char returns invalid pointers which causes "while (p != end)" loop in append_escaped_text to never exit. 

This ultimately causes OOB read and eventual client crash.

This crash can be easily reproduced by the following minimized code:



$ cat esc.c 
#include <glib.h>

void main()
{
        gchar *first;
        first = g_markup_escape_text ("\x61\xf8",2);
}


$ gcc -g -o esc `pkg-config --cflags --libs glib-2.0` esc.c

$ ./esc 
Segmentation fault (core dumped)

$ gdb -q ./esc
Reading symbols from /home/huzaifas/scratch/esc...done.
(gdb) run
Starting program: /home/huzaifas/scratch/esc 
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106
2106	      next = g_utf8_next_char (p);
(gdb) bt
#0  0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106
#1  g_markup_escape_text (text=<optimized out>, length=<optimized out>) at gmarkup.c:2182
#2  0x000000000040052b in main () at esc.c:6
(gdb) frame 0
#0  0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106
2106	      next = g_utf8_next_char (p);
(gdb) p p 
$1 = (const gchar *) 0x401000 <Address 0x401000 out of bounds>
Comment 8 Huzaifa S. Sidhpurwala 2011-10-05 06:10:09 UTC 
The version of pidgin shipped in Red Hat Enterprise Linux 6 explicitly disables support for SILC protocol and therefore is not affected.

This issue affects the version of pidgin shipped with Red Hat Enterprise Linux 4 and 5.

This issue affects the version of pidgin shipped with Fedora 14 and 15.
Comment 10 Vincent Danen 2011-10-14 03:25:41 UTC 
Statement:

Not vulnerable.  This issue did not affect the version of pidgin as shipped with Red Hat Enterprise Linux 6 as it explicitly disables support for the SILC protocol.
Comment 11 errata-xmlrpc 2011-10-14 03:31:37 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1371 https://rhn.redhat.com/errata/RHSA-2011-1371.html
Comment 14 Fedora Update System 2012-01-05 20:54:58 UTC 
pidgin-2.10.1-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-01-07 22:59:16 UTC 
pidgin-2.10.1-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.