Bug 453764 - (CVE-2008-2927) CVE-2008-2927 pidgin MSN integer overflow
CVE-2008-2927 pidgin MSN integer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=pidgin,report...
: Security
Depends On: 453765 453766 453767 453768 453769 833956
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-02 09:14 EDT by Josh Bressers
Modified: 2016-03-04 07:08 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-09 03:14:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed upstream patch (1.60 KB, patch)
2008-07-02 09:14 EDT, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2008-07-02 09:14:49 EDT
An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code
execution.

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting.  The default setting is to only allow
messages from users in the buddy list.
Comment 1 Josh Bressers 2008-07-02 09:14:49 EDT
Created attachment 310788 [details]
Proposed upstream patch
Comment 3 Warren Togami 2008-07-02 10:37:24 EDT
#
#
# patch "libpurple/protocols/msnp9/slplink.c"
#  from [0148f31961bbe4a9a992377e70db082952505db4]
#    to [f65596ea173bf7c9c1114edd7599140f470e7788]
#
============================================================
--- libpurple/protocols/msnp9/slplink.c	0148f31961bbe4a9a992377e70db082952505db4
+++ libpurple/protocols/msnp9/slplink.c	f65596ea173bf7c9c1114edd7599140f470e7788
@@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl
 	}
 	else if (slpmsg->size)
 	{
-		if ((offset + len) > slpmsg->size)
+		if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
 		{
 			purple_debug_error("msn", "Oversized slpmsg\n");
 			g_return_if_reached();

For reference, this is the upstream patch that went into 2.4.3.  I need to
backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3.
Comment 4 Josh Bressers 2008-07-03 22:01:38 EDT
I'm making this bug public in order to avoid creating confusion.
Comment 5 Tomas Hoger 2008-08-27 15:50:04 EDT
Upstream advisory:
  http://www.pidgin.im/news/security/?id=25

Fixed upstream in: 2.4.3

Note You need to log in before you can comment on or make changes to this bug.