Bug 453764 (CVE-2008-2927) - CVE-2008-2927 pidgin MSN integer overflow
Summary: CVE-2008-2927 pidgin MSN integer overflow
Alias: CVE-2008-2927
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 453765 453766 453767 453768 453769 833956
TreeView+ depends on / blocked
Reported: 2008-07-02 13:14 UTC by Josh Bressers
Modified: 2019-09-29 12:25 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-06-09 07:14:17 UTC

Attachments (Terms of Use)
Proposed upstream patch (1.60 KB, patch)
2008-07-02 13:14 UTC, Josh Bressers
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0584 0 normal SHIPPED_LIVE Important: pidgin security and bug fix update 2008-07-09 08:35:26 UTC

Description Josh Bressers 2008-07-02 13:14:49 UTC
An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting.  The default setting is to only allow
messages from users in the buddy list.

Comment 1 Josh Bressers 2008-07-02 13:14:49 UTC
Created attachment 310788 [details]
Proposed upstream patch

Comment 3 Warren Togami 2008-07-02 14:37:24 UTC
# patch "libpurple/protocols/msnp9/slplink.c"
#  from [0148f31961bbe4a9a992377e70db082952505db4]
#    to [f65596ea173bf7c9c1114edd7599140f470e7788]
--- libpurple/protocols/msnp9/slplink.c	0148f31961bbe4a9a992377e70db082952505db4
+++ libpurple/protocols/msnp9/slplink.c	f65596ea173bf7c9c1114edd7599140f470e7788
@@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl
 	else if (slpmsg->size)
-		if ((offset + len) > slpmsg->size)
+		if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
 			purple_debug_error("msn", "Oversized slpmsg\n");

For reference, this is the upstream patch that went into 2.4.3.  I need to
backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3.

Comment 4 Josh Bressers 2008-07-04 02:01:38 UTC
I'm making this bug public in order to avoid creating confusion.

Comment 5 Tomas Hoger 2008-08-27 19:50:04 UTC
Upstream advisory:

Fixed upstream in: 2.4.3

Note You need to log in before you can comment on or make changes to this bug.