Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#14682 closed patch (fixed)

Segfault in g_markup_escape_text when receiving autorization denied message

Reported by: evgenyboger Owned by: MarkDoliner
Milestone: 2.10.1 Component: ICQ
Version: 2.7.11 Keywords:
Cc:

Description

The following is gdb output

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff4d67740 in g_markup_escape_text () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff4d67740 in g_markup_escape_text () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x0000000000487bee in pidgin_notify_message (type=<value optimized out>, title=<value optimized out>, 
    primary=0x7ffff7f83012 "В авторизации отказано", 
    secondary=0x1d941a0 "Пользователь 323476898 не разрешил добавить его в ваш список собеседников по следующей причине:\n\320\340\361\361\352\340\346\363 \362\345\341\345 \361\345\352\360\345\362 - \313\363\367\370\345 \367", <incomplete sequence \340>...)
    at /build/buildd/pidgin-2.7.11/./pidgin/gtknotify.c:548
#2  0x00007ffff4a6a6af in purple_notify_message (handle=0x1ed2aa0, type=PURPLE_NOTIFY_MSG_INFO, title=0x0, 
    primary=0x7ffff7f83012 "В авторизации отказано", secondary=<value optimized out>, cb=0, user_data=0x0)
    at /build/buildd/pidgin-2.7.11/./libpurple/notify.c:71
#3  0x00007fffe779635b in purple_ssi_authreply (od=<value optimized out>, conn=<value optimized out>, fr=<value optimized out>)
    at /build/buildd/pidgin-2.7.11/./libpurple/protocols/oscar/oscar.c:4377
#4  0x00007fffe778eddd in receiveauthreply (od=0x1d44b40, conn=0xbdb340, mod=<value optimized out>, frame=0xbdb3b0, snac=0x7fffffffba50, bs=0xbdb3b8)
    at /build/buildd/pidgin-2.7.11/./libpurple/protocols/oscar/family_feedbag.c:1831
#5  snachandler (od=0x1d44b40, conn=0xbdb340, mod=<value optimized out>, frame=0xbdb3b0, snac=0x7fffffffba50, bs=0xbdb3b8)
    at /build/buildd/pidgin-2.7.11/./libpurple/protocols/oscar/family_feedbag.c:1895
#6  0x00007fffe77907a2 in parse_snac (conn=0xbdb340) at /build/buildd/pidgin-2.7.11/./libpurple/protocols/oscar/flap_connection.c:776
#7  parse_flap (conn=0xbdb340) at /build/buildd/pidgin-2.7.11/./libpurple/protocols/oscar/flap_connection.c:862
#8  flap_connection_recv (conn=0xbdb340) at /build/buildd/pidgin-2.7.11/./libpurple/protocols/oscar/flap_connection.c:985
#9  0x0000000000468f5e in pidgin_io_invoke (source=<value optimized out>, condition=<value optimized out>, data=<value optimized out>)
    at /build/buildd/pidgin-2.7.11/./pidgin/gtkeventloop.c:73
#10 0x00007ffff4d61bcd in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#11 0x00007ffff4d623a8 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#12 0x00007ffff4d629f2 in g_main_loop_run () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#13 0x00007ffff641daf7 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#14 0x0000000000481d68 in main (argc=1, argv=0x7fffffffe0a8) at /build/buildd/pidgin-2.7.11/./pidgin/gtkmain.c:931

And the proposed patch:

--- 1/oscar.c	2011-03-11 05:20:28.000000000 +0300
+++ oscar.c	2011-10-20 08:42:18.000000000 +0400
@@ -4373,6 +4373,12 @@
 		purple_notify_info(gc, NULL, _("Authorization Granted"), dialog_msg);
 	} else {
 		/* Denied */
+        if (msg && !g_utf8_validate(msg, -1, NULL)) {
+            purple_debug_warning("oscar", "ssi: received authorization reply from %s with "
+                    "invalid UTF-8 message\n", bn);
+            msg = 0;
+        }
+
 		dialog_msg = g_strdup_printf(_("The user %s has denied your request to add them to your buddy list for the following reason:\n%s"), nombre, msg ? msg : _("No reason given."));
 		purple_notify_info(gc, NULL, _("Authorization Denied"), dialog_msg);
 	}

Change History (5)

comment:1 Changed 7 years ago by MarkDoliner

Thanks for finding this and letting us know about it. Do you have a name I could use to refer to you in our ChangeLog? "Evgeny Boger"?

comment:2 Changed 7 years ago by evgenyboger

exactly

comment:3 Changed 7 years ago by markdoliner@…

  • Milestone set to 2.10.1
  • Resolution set to fixed
  • Status changed from new to closed

(In 757272a78a8ca6027d518e614712c3399e34dda3):
Fix remotely-triggerable crashes by validating strings in a few messages related to buddy list management. Fixes #14682

I changed the four functions that parse incoming authorization-related SNACs. The changes are:

  • Make sure we have a buddy name and it is valid UTF-8. If not, we drop the SNAC and log a debug message (we can't do much with an empty, invalid or incorrect buddy name). This wasn't a part of the bug report and I doubt it's actually a problem, but it seems like a good idea regardless.
  • If the incoming message is not valid UTF-8 then use purple_utf8_salvage() to replace invalid bytes with question marks. I believe this fixes the bug in question.

comment:4 Changed 7 years ago by MarkDoliner

FYI we just released Pigin 2.10.1, which includes a fix for this.

Evgeny, if you find bugs like this in the future (anytime a remote user can cause Pidgin to crash or become unusable), please report them to us privately via the security@… mailing list. There's more information about this here: http://pidgin.im/security/ and here: http://developer.pidgin.im/wiki/SecurityVulnerabilityProcess

Thanks!

comment:5 Changed 7 years ago by thijsalkemade@…

(In e135769d57c55a9ec473ff0537f6eb62c0575408):
* Plucked 757272a78a8ca6027d518e614712c3399e34dda3 (markdoliner@…): Fix remotely-triggerable crashes by validating strings in a few messages related to buddy list management. Fixes #14682

I changed the four functions that parse incoming authorization-related SNACs. The changes are:

  • Make sure we have a buddy name and it is valid UTF-8. If not, we drop the SNAC and log a debug message (we can't do much with an empty, invalid or incorrect buddy name). This wasn't a part of the bug report and I doubt it's actually a problem, but it seems like a good idea regardless.
  • If the incoming message is not valid UTF-8 then use purple_utf8_salvage() to replace invalid bytes with question marks. I believe this fixes the bug in question.
Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!