Bug 514957 (CVE-2009-2694) - CVE-2009-2694 pidgin: insufficient input validation in msn_slplink_process_msg()
Summary: CVE-2009-2694 pidgin: insufficient input validation in msn_slplink_process_msg()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-2694
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,source=upstream,repor...
Depends On: 515723 515724 515725 515726 515727 833961
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-31 16:22 UTC by Tomas Hoger
Modified: 2019-06-08 12:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-24 07:32:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1218 normal SHIPPED_LIVE Critical: pidgin security update 2009-08-18 18:00:52 UTC

Description Tomas Hoger 2009-07-31 16:22:16 UTC
Core Security Technologies reported that previous upstream fixes addressing insufficient input validation flaw in pidgin / libpurple in function msn_slplink_process_msg() are inefficient and can be bypassed.  This flaw allows an attacker to overwrite pidgin's memory and possibly execute arbitrary code with the privileges of the user running application using libpurple.

This issue was previously tracked as CVE-2008-2927 (bug #453764) and CVE-2009-1376 (bug #500493, incomplete fix).

Comment 4 Tomas Hoger 2009-08-13 12:31:56 UTC
Mitigation:

Users can lower the impact of this flaw by making sure their privacy settings only allow Pidgin to accept messages from the users on their buddy list.  This will prevent exploitation of this flaw by other random MSN users.

Comment 5 Tomas Hoger 2009-08-13 12:39:01 UTC
Technically, this is not really an incomplete fix of the previous integer overflow issues, rather a new issue affecting same code part as previous issues.

In the new attack, attacker aims to exploit a NULL pointer dereference flaw.  This is achieved by sending message with non-0 offset.  When such message is processed in msn_slplink_process_msg(), msn_slplink_message_find() is called to find previous parts of the message sent within the same session.  With specially crafted previous messages, msn_slplink_message_find() may return a structure for ACK message, rather than request message, that later triggers NULL pointer dereference in:

  memcpy(slpmsg->buffer + offset, data, len);

In ACK message, slpmsg->buffer is NULL and attacker supplied offset can be used to control what memory area will be overwritten.

Comment 8 errata-xmlrpc 2009-08-18 18:00:57 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1218 https://rhn.redhat.com/errata/RHSA-2009-1218.html

Comment 9 Jan Lieskovsky 2009-08-21 08:58:49 UTC
MITRE's CVE-2009-2694 record:
-----------------------------

The msn_slplink_process_msg function in
libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin
(formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows
remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) by sending multiple
crafted SLP (aka MSNSLP) messages to trigger an overwrite of an
arbitrary memory location. NOTE: this issue reportedly exists because
of an incomplete fix for CVE-2009-1376.

References:
-----------
http://www.coresecurity.com/content/libpurple-arbitrary-write
http://developer.pidgin.im/viewmtn/revision/info/6f7343166c673bf0496ecb1afec9b633c1d54a0e
http://developer.pidgin.im/wiki/ChangeLog
http://www.pidgin.im/news/security/?id=34
http://secunia.com/advisories/36384
http://secunia.com/advisories/36392
http://secunia.com/advisories/36401
http://www.vupen.com/english/advisories/2009/2303

Comment 10 Tomas Hoger 2009-08-24 07:32:28 UTC
All current Fedora versions are now updated to 2.6.0+ too.


Note You need to log in before you can comment on or make changes to this bug.