Pidgin version 2.6.1 suffers from a remote denial of service vulnerability when receiving a malformed IRC TOPIC message from a malicious IRC server.
7ab8b43ac2c2acb3ad6eba05eb13a7a79ce2e4e84598528d24915d411c6ce887
Security Advisory
IS-2009-001 - Pidgin IRC TOPIC message DOS
Advisory Information
--------------------
Published:
2009-09-03
Updated:
2009-09-06
Vulnerable:
Pidgin 2.6.1
Previous versions may be also affected.
Not Vulnerable:
Pidgin 2.6.2
Vulnerability Details
---------------------
Class:
Denial of Service
Remote:
Yes
Local:
No
Public References:
CVE: CVE-2009-2703
BugtraqID: 36277
Summary:
A malicious IRC server may perform a remote denial of service by sending
a malformed IRC TOPIC message.
Application crash will occur upon reception of such message.
Details:
A properly crafted IRC TOPIC message is able to trigger a NULL pointer
dereference in the libpurple code portion devoted to IRC message parsing.
The relevant code is located in libpurple/protocols/irc inside the
pidgin source tree.
Failure in populating a zero-filled array with the proper values, will
occur when parsing some TOPIC messages that do not include a topic
description field.
Such an array will then be processed by irc_msg_topic in msgs.c and
irc_mirc2txt in parse.c, without being checked for the presence of NULL
values.
This leads to a NULL pointer dereference in irc_mirc2txt, causing a
segmentation fault and the application crash.
An attacker could also trigger the vulnerability by properly injecting,
by any means, a '\r\n' sequence into a valid TOPIC message.
Solution:
Upgrade to Pidgin 2.6.2
Additional Information
----------------------
A more detailed analysis is available on http://www.icysilence.org