Bug 743481 - (CVE-2011-3594) CVE-2011-3594 libpurple: invalid UTF-8 string handling in SILC messages
CVE-2011-3594 libpurple: invalid UTF-8 string handling in SILC messages
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20110929,repor...
: Reopened, Security
: 742450 (view as bug list)
Depends On: 743483 743796 743797 743798 833968
Blocks: 743482
  Show dependency treegraph
 
Reported: 2011-10-05 00:14 EDT by Vincent Danen
Modified: 2012-08-08 04:59 EDT (History)
11 users (show)

See Also:
Fixed In Version: pidgin 2.10.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-08 04:59:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-10-05 00:14:55 EDT
A flaw was reported [1] in libpurple's SILC protocol plugin, and all software which uses SILC via libpurple.  The g_markup_escape_text() function, when called on strings that have not been verified as valid UTF-8, will read past the end of the string and eventually segfault for certain sequences in some versions of Glib2.  The behaviour of this function was undefined, and because it depends on the particular version of Glib2 in use, it is unknown what the complete ramifications of the flaw is, however it has been verified that an untrusted user could remotely crash a libpurple client via specially crafted SILC messages.

This flaw is believed to affect all versions of libpurple up to and including 2.10.0.  This has been corrected in the upstream git repository [2].


[1] http://developer.pidgin.im/ticket/14636
[2] http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8
Comment 2 Vincent Danen 2011-10-05 00:22:03 EDT
Created pidgin tracking bugs for this issue

Affects: fedora-all [bug 743483]
Comment 5 Huzaifa S. Sidhpurwala 2011-10-05 01:08:35 EDT
*** Bug 742450 has been marked as a duplicate of this bug. ***
Comment 7 Huzaifa S. Sidhpurwala 2011-10-05 01:56:14 EDT
The crash is caused by passing "user-controlled" non-UTF8 string to the g_markup_escape_text function. 

Lot of work has already been done by the original reporter at:
http://developer.pidgin.im/ticket/14636

A non-utf8 string passed to g_markup_escape_text causes the same string to be passed along to append_escaped_text in gmarkup.c

append_escaped_text is supposed to parse this text and uses g_utf8_next_char to read the entire input string (assuming that it is utf8 of-course). g_utf8_next_char returns invalid pointers which causes "while (p != end)" loop in append_escaped_text to never exit. 

This ultimately causes OOB read and eventual client crash.

This crash can be easily reproduced by the following minimized code:



$ cat esc.c 
#include <glib.h>

void main()
{
        gchar *first;
        first = g_markup_escape_text ("\x61\xf8",2);
}


$ gcc -g -o esc `pkg-config --cflags --libs glib-2.0` esc.c

$ ./esc 
Segmentation fault (core dumped)

$ gdb -q ./esc
Reading symbols from /home/huzaifas/scratch/esc...done.
(gdb) run
Starting program: /home/huzaifas/scratch/esc 
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106
2106	      next = g_utf8_next_char (p);
(gdb) bt
#0  0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106
#1  g_markup_escape_text (text=<optimized out>, length=<optimized out>) at gmarkup.c:2182
#2  0x000000000040052b in main () at esc.c:6
(gdb) frame 0
#0  0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106
2106	      next = g_utf8_next_char (p);
(gdb) p p 
$1 = (const gchar *) 0x401000 <Address 0x401000 out of bounds>
Comment 8 Huzaifa S. Sidhpurwala 2011-10-05 02:10:09 EDT
The version of pidgin shipped in Red Hat Enterprise Linux 6 explicitly disables support for SILC protocol and therefore is not affected.

This issue affects the version of pidgin shipped with Red Hat Enterprise Linux 4 and 5.

This issue affects the version of pidgin shipped with Fedora 14 and 15.
Comment 10 Vincent Danen 2011-10-13 23:25:41 EDT
Statement:

Not vulnerable.  This issue did not affect the version of pidgin as shipped with Red Hat Enterprise Linux 6 as it explicitly disables support for the SILC protocol.
Comment 11 errata-xmlrpc 2011-10-13 23:31:37 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1371 https://rhn.redhat.com/errata/RHSA-2011-1371.html
Comment 14 Fedora Update System 2012-01-05 15:54:58 EST
pidgin-2.10.1-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-01-07 17:59:16 EST
pidgin-2.10.1-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.