Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 385073 (CVE-2011-3594) - <net-im/pidgin-2.10.0-r1 Heap-based buffer overflow by processing certain SILC private messages (CVE-2011-3594)
Summary: <net-im/pidgin-2.10.0-r1 Heap-based buffer overflow by processing certain SIL...
Status: RESOLVED FIXED
Alias: CVE-2011-3594
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://developer.pidgin.im/ticket/14636
Whiteboard: B3 [glsa]
Keywords:
: 385657 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-09-30 11:14 UTC by Sean Amoss
Modified: 2012-06-21 18:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sean Amoss gentoo-dev Security 2011-09-30 11:14:44 UTC
A heap-based buffer overflow flaw was found in the way the SILC Purple Pidgin
protocol plug-in escaped certain UTF-8 private messages. If a Pidgin client
received a specially-crafted SILC message, it could cause Pidgin to crash, or,
potentially lead to arbitrary code execution with the privileges of the user
running Pidgin.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-10-02 03:45:31 UTC
Updated the bug summary only. Reading the upstream ticket, I believe 2.10.0 is affected. 2.10.1 *may* include this fix, but as always, we'll wait and see.
Comment 2 Sean Amoss gentoo-dev Security 2011-10-02 17:46:58 UTC
@underling: Correct, sorry about that.
@net-im: Looks like a fix is available.

From oss-security http://www.openwall.com/lists/oss-security/2011/10/01/1 :

"This bug is believed to affect all releases of libpurple up to and
including version 2.10.0.

The correct fix for this bug is UTF-8 validation (and correction if
necessary) of the incoming string before passing it to Glib.  A patch
which provides this fix has been applied to the Pidgin sources in
revision 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8 and will appear in
all future Pidgin releases.  For reference, it is:

    http://developer.pidgin.im/viewmtn/revision/diff/be5e66abad2af29604bc794cc4c6600ab12751f3/with/7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8

All packagers of libpurple (including monolithic Pidgin and/or finch
packages) who have not already done so are encouraged to apply this
change to their packages immediately."
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-10-02 18:14:22 UTC
Patch was added in 2.10.0-r1. Arch teams, please, stabilize.
Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-10-02 19:19:53 UTC
amd64: all ok
Comment 5 Agostino Sarubbo gentoo-dev 2011-10-03 10:32:50 UTC
@pva 

Please remove -g from CFLAGS for the next release.

amd64 ok.
Comment 6 Agostino Sarubbo gentoo-dev 2011-10-03 13:44:39 UTC
Upstream changed the info about the bug.
Please take a look at: https://secunia.com/advisories/46298/

Changing From B1 to B3
Comment 7 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-03 18:38:42 UTC
ppc/ppc64 stable
Comment 8 Andreas Schürch gentoo-dev 2011-10-04 08:06:18 UTC
x86 stable.
Comment 9 Jeroen Roovers gentoo-dev 2011-10-04 14:05:08 UTC
Stable for HPPA.
Comment 10 Markos Chandras (RETIRED) gentoo-dev 2011-10-04 19:28:40 UTC
amd64 done. Thanks Elijah
Comment 11 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-10-04 20:09:27 UTC
*** Bug 385657 has been marked as a duplicate of this bug. ***
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-10-08 17:58:37 UTC
alpha/ia64/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-10-09 04:19:09 UTC
Thanks, folks. GLSA Vote: yes.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-09 11:35:32 UTC
Vote: YES. Added to pending GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-11-16 23:37:11 UTC
CVE-2011-3594 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3594):
  The g_markup_escape_text function in the SILC protocol plug-in in libpurple
  2.10.0 and earlier, as used in Pidgin and possibly other products, allows
  remote attackers to cause a denial of service (crash) via invalid UTF-8
  sequences that trigger use of invalid pointers and an out-of-bounds read,
  related to interactions with certain versions of glib2.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2011-11-16 23:37:12 UTC
CVE-2011-3594 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3594):
  The g_markup_escape_text function in the SILC protocol plug-in in libpurple
  2.10.0 and earlier, as used in Pidgin and possibly other products, allows
  remote attackers to cause a denial of service (crash) via invalid UTF-8
  sequences that trigger use of invalid pointers and an out-of-bounds read,
  related to interactions with certain versions of glib2.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:29:09 UTC
This issue was resolved and addressed in
 GLSA 201206-11 at http://security.gentoo.org/glsa/glsa-201206-11.xml
by GLSA coordinator Stefan Behte (craig).