A flaw was reported [1] in libpurple's SILC protocol plugin, and all software which uses SILC via libpurple. The g_markup_escape_text() function, when called on strings that have not been verified as valid UTF-8, will read past the end of the string and eventually segfault for certain sequences in some versions of Glib2. The behaviour of this function was undefined, and because it depends on the particular version of Glib2 in use, it is unknown what the complete ramifications of the flaw is, however it has been verified that an untrusted user could remotely crash a libpurple client via specially crafted SILC messages. This flaw is believed to affect all versions of libpurple up to and including 2.10.0. This has been corrected in the upstream git repository [2]. [1] http://developer.pidgin.im/ticket/14636 [2] http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 743483]
*** Bug 742450 has been marked as a duplicate of this bug. ***
The crash is caused by passing "user-controlled" non-UTF8 string to the g_markup_escape_text function. Lot of work has already been done by the original reporter at: http://developer.pidgin.im/ticket/14636 A non-utf8 string passed to g_markup_escape_text causes the same string to be passed along to append_escaped_text in gmarkup.c append_escaped_text is supposed to parse this text and uses g_utf8_next_char to read the entire input string (assuming that it is utf8 of-course). g_utf8_next_char returns invalid pointers which causes "while (p != end)" loop in append_escaped_text to never exit. This ultimately causes OOB read and eventual client crash. This crash can be easily reproduced by the following minimized code: $ cat esc.c #include <glib.h> void main() { gchar *first; first = g_markup_escape_text ("\x61\xf8",2); } $ gcc -g -o esc `pkg-config --cflags --libs glib-2.0` esc.c $ ./esc Segmentation fault (core dumped) $ gdb -q ./esc Reading symbols from /home/huzaifas/scratch/esc...done. (gdb) run Starting program: /home/huzaifas/scratch/esc [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106 2106 next = g_utf8_next_char (p); (gdb) bt #0 0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106 #1 g_markup_escape_text (text=<optimized out>, length=<optimized out>) at gmarkup.c:2182 #2 0x000000000040052b in main () at esc.c:6 (gdb) frame 0 #0 0x000000316f2482a0 in append_escaped_text (length=<optimized out>, text=<optimized out>, str=0x601e00) at gmarkup.c:2106 2106 next = g_utf8_next_char (p); (gdb) p p $1 = (const gchar *) 0x401000 <Address 0x401000 out of bounds>
The version of pidgin shipped in Red Hat Enterprise Linux 6 explicitly disables support for SILC protocol and therefore is not affected. This issue affects the version of pidgin shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of pidgin shipped with Fedora 14 and 15.
Statement: Not vulnerable. This issue did not affect the version of pidgin as shipped with Red Hat Enterprise Linux 6 as it explicitly disables support for the SILC protocol.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1371 https://rhn.redhat.com/errata/RHSA-2011-1371.html
pidgin-2.10.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
pidgin-2.10.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.