[CVE-2008-2927] MSN integer overflow in Pidgin

Bug #245770 reported by Till Ulen on 2008-07-05
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Debian)
Fix Released
Unknown
pidgin (Fedora)
Fix Released
Medium
pidgin (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: pidgin

CVE-2008-2927 is a remote buffer overflow vulnerability in the MSN protocol handler. Apparently it can lead to arbitrary code execution. It's not yet in the public vulnerability databases, so please see the Debian bug for reference: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=488632>. I think it is the same issue as described in this Bugtraq post <http://www.securityfocus.com/archive/1/493682/30/60/threaded>.

An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code
execution.

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting. The default setting is to only allow
messages from users in the buddy list.

Created attachment 310788
Proposed upstream patch

#
#
# patch "libpurple/protocols/msnp9/slplink.c"
# from [0148f31961bbe4a9a992377e70db082952505db4]
# to [f65596ea173bf7c9c1114edd7599140f470e7788]
#
============================================================
--- libpurple/protocols/msnp9/slplink.c 0148f31961bbe4a9a992377e70db082952505db4
+++ libpurple/protocols/msnp9/slplink.c f65596ea173bf7c9c1114edd7599140f470e7788
@@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl
  }
  else if (slpmsg->size)
  {
- if ((offset + len) > slpmsg->size)
+ if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size)
   {
    purple_debug_error("msn", "Oversized slpmsg\n");
    g_return_if_reached();

For reference, this is the upstream patch that went into 2.4.3. I need to
backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3.

I'm making this bug public in order to avoid creating confusion.

Till Ulen (tillulen) wrote :

Adding a CVE reference: CVE-2008-2927

Till Ulen (tillulen) wrote :

Here is a description from the Red Hat bug:

"An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP
message to cause an integer overflow, which could result in arbitrary code
execution.

This flaw is only exploitable by individuals who can message a user, which is
controlled by the Pidgin privacy setting. The default setting is to only allow
messages from users in the buddy list."

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2927

Changed in pidgin:
status: Unknown → New

Here is the debdiff.

Upstream advisory:
  http://www.pidgin.im/news/security/?id=25

Fixed upstream in: 2.4.3

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.2.1-1ubuntu4.3

---------------
pidgin (1:2.2.1-1ubuntu4.3) gutsy-security; urgency=low

  * SECURITY UPDATE: code execution via integer overflow in the MSN protocol
    handler (LP: #245770)
    - debian/patches/99_SECURITY_CVE-2008-2927.patch: fix
      msn_slplink_process_msg() in src/protocols/msn/slplink.c by checking
      against maximum size G_MAXSIZE.
    - CVE-2008-2927
  * SECURITY UPDATE: denial of service via specially formulated long
    filename (LP: #245769)
    - debian/patches/99_SECURITY_CVE-2008-2955.patch: change
      src/protocols/msn/[slplink.c,slpcall.*] to make sure xfer structure still
      exists before putting dest_fp in it.
    - CVE-2008-2955
  * SECURITY UPDATE: denial of service via resource exhaustion from arbitrary
    URL in UPnP functionality (LP: #245769)
    - debian/patches/99_SECURITY_CVE-2008-2957.patch: modified
      libpurple/[upnp.c,util.*] to add purple_util_fetch_url_request_len() in
      order to limit http downloads to 128k.
    - CVE-2008-2957
  * SECURITY UPDATE: man in the middle attack from lack of certificate
    validation in nss plugin (LP: #251304)
    - debian/patches/99_SECURITY_CVE-2008-3532.patch: modified
      libpurple/plugins/ssl/ssl-nss.c to add certificate validation code.
    - CVE-2008-3532

 -- Marc Deslauriers <email address hidden> Thu, 20 Nov 2008 15:54:34 -0500

Changed in pidgin:
status: New → Fix Released
Artur Rona (ari-tczew) on 2009-09-13
tags: added: patch
Changed in pidgin (Debian):
status: New → Confirmed
Changed in pidgin (Debian):
status: Confirmed → Fix Released
Changed in pidgin (Fedora):
importance: Unknown → Medium
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.