Public bug reported: Binary package hint: libpurple0
The Bonjour code seems not to deal correctly with closing conversations. The function bonjour_jabber_close_conversation may be called several times, causing double free()s and crashes. Examples to trigger this would be to send this message twice (and close the connection after each again, e.g. use netcat): <?xml version="1.0" encoding="utf-8" ?> <message to="destinat...@localhost" from="sen...@localhost" type="chat"><body>Hello Wolrd</body></message> Or you can also crash pidgin using only one of the messages and then close the conversation window. Or you can also crash pidgin using only one message like that: <?xml version="1.0" encoding="utf-8" ?> <stream:stream xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"; from="sen...@localhost" to="destinat...@localhost"><message to="destinat...@localhost" from="sen...@localhost" type="chat"><body>Hello Wolrd</body></message></stream:stream> Which will cause pidgin to crash, because of the two stream-tags that cause the async_bonjour_jabber_close_conversation to be called twice. valgrind will the complain about bytes being read from a structure that was already free()d earlier. All references to the bconv struct should be set to NULL once it has been free()d, so that libpurple does not try to free it again. As this is networking code, it is at best annoying to have attackers being able to crash all local-network-bonjour-running pidgins… ** Affects: pidgin (Ubuntu) Importance: Undecided Status: New ** Description changed: Binary package hint: libpurple0 The Bonjour code seems not to deal correctly with closing conversations. The function bonjour_jabber_close_conversation may be called several times, causing double free()s and crashes. Examples to trigger this would be to send this message twice (and close the connection after each again, e.g. use netcat): <?xml version="1.0" encoding="utf-8" ?> <message to="destinat...@localhost" from="sen...@localhost" type="chat"><body>Hello Wolrd</body></message> Or you can also crash pidgin using only one of the messages and then close the conversation window. Or you can also crash pidgin using only one message like that: <?xml version="1.0" encoding="utf-8" ?> - <stream:stream xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"; from="jackdani...@odyssey" to="rumpel...@tuxinateur"><message to="destinat...@localhost" from="sen...@localhost" type="chat"><body>Hello Wolrd</body></message></stream:stream> + <stream:stream xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"; from="sen...@localhost" to="destinat...@localhost"><message to="destinat...@localhost" from="sen...@localhost" type="chat"><body>Hello Wolrd</body></message></stream:stream> Which will cause pidgin to crash, because of the two stream-tags that cause the async_bonjour_jabber_close_conversation to be called twice. valgrind will the complain about bytes being read from a structure that was already free()d earlier. All references to the bconv struct should be set to NULL once it has been free()d, so that libpurple does not try to free it again. As this is networking code, it is at best annoying to have attackers being able to crash all local-network-bonjour-running pidgins… -- bonjour closes conversation (bconv) multiple times https://bugs.launchpad.net/bugs/386694 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
