385657 – <net-im/pidgin-2.10.0 libpurple Heap memory corruption using g_markup_escape_text() without sanitizing first (CVE-2011-3594)

Bug 385657 - <net-im/pidgin-2.10.0 libpurple Heap memory corruption using g_markup_escape_text() without sanitizing first (CVE-2011-3594)

Summary: <net-im/pidgin-2.10.0 libpurple Heap memory corruption using g_markup_escape_...

Status:	RESOLVED DUPLICATE of bug 385073

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://developer.pidgin.im/ticket/14636
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-10-04 19:49 UTC by Michael Harrison
Modified:	2011-10-04 20:09 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Harrison 2011-10-04 19:49:06 UTC

The vulnerability lies in calling g_markup_escape_text() on strings
which have not been verified as valid UTF-8.  This function is not
required to do anything reasonable with invalid UTF-8, and indeed
reads past the end of the string and will eventually segfault for
certain sequences in some versions of Glib 2.  Because the behavior 
of this function is undefined, and depends on the particular version of Glib 2 in use, the complete ramifications of this bug are unknown.  Remote crashing of a libpurple client by untrusted users via specifically crafted SILC messages is a verified vulnerability.

This bug is believed to affect all releases of libpurple up to and including version 2.10.0.

Comment 1 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-10-04 20:09:27 UTC


*** This bug has been marked as a duplicate of bug 385073 ***