[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4AA3EC75.7060102@icysilence.org>
Date: Sun, 06 Sep 2009 19:08:05 +0200
From: Cristofaro Mune <pulsoid@...silence.org>
To: full-disclosure@...ts.grok.org.uk
Subject: IS-2009-001 - Pidgin IRC TOPIC message DOS
Security Advisory
IS-2009-001 - Pidgin IRC TOPIC message DOS
Advisory Information
--------------------
Published:
2009-09-03
Updated:
2009-09-06
Vulnerable:
Pidgin 2.6.1
Previous versions may be also affected.
Not Vulnerable:
Pidgin 2.6.2
Vulnerability Details
---------------------
Class:
Denial of Service
Remote:
Yes
Local:
No
Public References:
CVE: CVE-2009-2703
BugtraqID: 36277
Summary:
A malicious IRC server may perform a remote denial of service by sending
a malformed IRC TOPIC message.
Application crash will occur upon reception of such message.
Details:
A properly crafted IRC TOPIC message is able to trigger a NULL pointer
dereference in the libpurple code portion devoted to IRC message parsing.
The relevant code is located in libpurple/protocols/irc inside the
pidgin source tree.
Failure in populating a zero-filled array with the proper values, will
occur when parsing some TOPIC messages that do not include a topic
description field.
Such an array will then be processed by irc_msg_topic in msgs.c and
irc_mirc2txt in parse.c, without being checked for the presence of NULL
values.
This leads to a NULL pointer dereference in irc_mirc2txt, causing a
segmentation fault and the application crash.
An attacker could also trigger the vulnerability by properly injecting,
by any means, a '\r\n' sequence into a valid TOPIC message.
Solution:
Upgrade to Pidgin 2.6.2
Additional Information
----------------------
A more detailed analysis is available on http://www.icysilence.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists