An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP message to cause an integer overflow, which could result in arbitrary code execution. This flaw is only exploitable by individuals who can message a user, which is controlled by the Pidgin privacy setting. The default setting is to only allow messages from users in the buddy list.
Created attachment 310788 [details] Proposed upstream patch
# # # patch "libpurple/protocols/msnp9/slplink.c" # from [0148f31961bbe4a9a992377e70db082952505db4] # to [f65596ea173bf7c9c1114edd7599140f470e7788] # ============================================================ --- libpurple/protocols/msnp9/slplink.c 0148f31961bbe4a9a992377e70db082952505db4 +++ libpurple/protocols/msnp9/slplink.c f65596ea173bf7c9c1114edd7599140f470e7788 @@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl } else if (slpmsg->size) { - if ((offset + len) > slpmsg->size) + if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size) { purple_debug_error("msn", "Oversized slpmsg\n"); g_return_if_reached(); For reference, this is the upstream patch that went into 2.4.3. I need to backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3.
I'm making this bug public in order to avoid creating confusion.
Upstream advisory: http://www.pidgin.im/news/security/?id=25 Fixed upstream in: 2.4.3
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0584.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5597 https://admin.fedoraproject.org/updates/F11/FEDORA-2009-5583 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-5552