Fedora
pidgin package

[CVE-2008-2927] MSN integer overflow in Pidgin

Bug #245770 reported by Till Ulen
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Debian)
Fix Released
Unknown
pidgin (Fedora)
Fix Released
Medium
pidgin (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: pidgin

CVE-2008-2927 is a remote buffer overflow vulnerability in the MSN protocol handler. Apparently it can lead to arbitrary code execution. It's not yet in the public vulnerability databases, so please see the Debian bug for reference: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488632>. I think it is the same issue as described in this Bugtraq post <http://www.securityfocus.com/archive/1/493682/30/60/threaded>.

Tags: patch
Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code
execution.

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting. The default setting is to only allow
messages from users in the buddy list.

Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

Created attachment 310788
Proposed upstream patch

Revision history for this message
In , Warren (warren-redhat-bugs) wrote :

#
#
# patch "libpurple/protocols/msnp9/slplink.c"
# from [0148f31961bbe4a9a992377e70db082952505db4]
# to [f65596ea173bf7c9c1114edd7599140f470e7788]
#
============================================================
--- libpurple/protocols/msnp9/slplink.c 0148f31961bbe4a9a992377e70db082952505db4
+++ libpurple/protocols/msnp9/slplink.c f65596ea173bf7c9c1114edd7599140f470e7788
@@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl
  }
  else if (slpmsg->size)
  {
- if ((offset + len) > slpmsg->size)
+ if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
   {
    purple_debug_error("msn", "Oversized slpmsg\n");
    g_return_if_reached();

For reference, this is the upstream patch that went into 2.4.3. I need to
backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3.

Revision history for this message
In , Josh (josh-redhat-bugs) wrote :

I'm making this bug public in order to avoid creating confusion.

Revision history for this message
Till Ulen (tillulen) wrote :

Adding a CVE reference: CVE-2008-2927

Revision history for this message
Till Ulen (tillulen) wrote :

Here is a description from the Red Hat bug:

"An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code
execution.

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting. The default setting is to only allow
messages from users in the buddy list."

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2927

Bug Watch Updater (bug-watch-updater)
Changed in pidgin:
status: Unknown → New
Revision history for this message
Ikuya Awashiro (ikuya-fruitsbasket) wrote :

Here is the debdiff.

Revision history for this message
In , Tomas (tomas-redhat-bugs) wrote :

Upstream advisory:
  http://www.pidgin.im/news/security/?id=25

Fixed upstream in: 2.4.3

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.2.1-1ubuntu4.3

---------------
pidgin (1:2.2.1-1ubuntu4.3) gutsy-security; urgency=low

  * SECURITY UPDATE: code execution via integer overflow in the MSN protocol
    handler (LP: #245770)
    - debian/patches/99_SECURITY_CVE-2008-2927.patch: fix
      msn_slplink_process_msg() in src/protocols/msn/slplink.c by checking
      against maximum size G_MAXSIZE.
    - CVE-2008-2927
  * SECURITY UPDATE: denial of service via specially formulated long
    filename (LP: #245769)
    - debian/patches/99_SECURITY_CVE-2008-2955.patch: change
      src/protocols/msn/[slplink.c,slpcall.*] to make sure xfer structure still
      exists before putting dest_fp in it.
    - CVE-2008-2955
  * SECURITY UPDATE: denial of service via resource exhaustion from arbitrary
    URL in UPnP functionality (LP: #245769)
    - debian/patches/99_SECURITY_CVE-2008-2957.patch: modified
      libpurple/[upnp.c,util.*] to add purple_util_fetch_url_request_len() in
      order to limit http downloads to 128k.
    - CVE-2008-2957
  * SECURITY UPDATE: man in the middle attack from lack of certificate
    validation in nss plugin (LP: #251304)
    - debian/patches/99_SECURITY_CVE-2008-3532.patch: modified
      libpurple/plugins/ssl/ssl-nss.c to add certificate validation code.
    - CVE-2008-3532

 -- Marc Deslauriers <email address hidden> Thu, 20 Nov 2008 15:54:34 -0500

Changed in pidgin:
status: New → Fix Released
Revision history for this message
In , Red (red-redhat-bugs) wrote :

This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0584.html

Fedora:
  https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5597
  https://admin.fedoraproject.org/updates/F11/FEDORA-2009-5583
  https://admin.fedoraproject.org/updates/F9/FEDORA-2009-5552

Artur Rona (ari-tczew)
tags: added: patch
Bug Watch Updater (bug-watch-updater)
Changed in pidgin (Debian):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in pidgin (Debian):
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in pidgin (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.