Bug 453764 (CVE-2008-2927) - CVE-2008-2927 pidgin MSN integer overflow
Summary: CVE-2008-2927 pidgin MSN integer overflow
Status: CLOSED ERRATA
Alias: CVE-2008-2927
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,source=pidgin,report...
Keywords: Security
Depends On: 453765 453766 453767 453768 453769 833956
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-02 13:14 UTC by Josh Bressers
Modified: 2019-06-08 12:32 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2009-06-09 07:14:17 UTC


Attachments (Terms of Use)
Proposed upstream patch (1.60 KB, patch)
2008-07-02 13:14 UTC, Josh Bressers
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0584 normal SHIPPED_LIVE Important: pidgin security and bug fix update 2008-07-09 08:35:26 UTC

Description Josh Bressers 2008-07-02 13:14:49 UTC
An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code
execution.

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting.  The default setting is to only allow
messages from users in the buddy list.

Comment 1 Josh Bressers 2008-07-02 13:14:49 UTC
Created attachment 310788 [details]
Proposed upstream patch

Comment 3 Warren Togami 2008-07-02 14:37:24 UTC
#
#
# patch "libpurple/protocols/msnp9/slplink.c"
#  from [0148f31961bbe4a9a992377e70db082952505db4]
#    to [f65596ea173bf7c9c1114edd7599140f470e7788]
#
============================================================
--- libpurple/protocols/msnp9/slplink.c	0148f31961bbe4a9a992377e70db082952505db4
+++ libpurple/protocols/msnp9/slplink.c	f65596ea173bf7c9c1114edd7599140f470e7788
@@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl
 	}
 	else if (slpmsg->size)
 	{
-		if ((offset + len) > slpmsg->size)
+		if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
 		{
 			purple_debug_error("msn", "Oversized slpmsg\n");
 			g_return_if_reached();

For reference, this is the upstream patch that went into 2.4.3.  I need to
backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3.

Comment 4 Josh Bressers 2008-07-04 02:01:38 UTC
I'm making this bug public in order to avoid creating confusion.

Comment 5 Tomas Hoger 2008-08-27 19:50:04 UTC
Upstream advisory:
  http://www.pidgin.im/news/security/?id=25

Fixed upstream in: 2.4.3


Note You need to log in before you can comment on or make changes to this bug.