Security Advisory

IS-2009-001 - Pidgin IRC TOPIC message DOS


Advisory Information
--------------------
Published:
2009-09-03

Updated:
2009-09-06

Vulnerable:
Pidgin 2.6.1
Previous versions may be also affected.

Not Vulnerable:
Pidgin 2.6.2

Vulnerability Details
---------------------
Class:
Denial of Service

Remote:
Yes

Local:
No

Public References:
CVE: CVE-2009-2703
BugtraqID: 36277


Summary:
A malicious IRC server may perform a remote denial of service by sending
a malformed IRC TOPIC message.
Application crash will occur upon reception of such message.


Details:
A properly crafted IRC TOPIC message is able to trigger a NULL pointer
dereference in the libpurple code portion devoted to IRC message parsing.
The relevant code is located in libpurple/protocols/irc inside the
pidgin source tree.

Failure in populating a zero-filled array with the proper values, will
occur when parsing some TOPIC messages that do not include a topic
description field.
Such an array will then be processed by irc_msg_topic in msgs.c and
irc_mirc2txt in parse.c, without being checked for the presence of NULL
values.
This leads to a NULL pointer dereference in irc_mirc2txt, causing a
segmentation fault and the application crash.

An attacker could also trigger the vulnerability by properly injecting,
by any means, a '\r\n' sequence into a valid TOPIC message.


Solution:
Upgrade to Pidgin 2.6.2


Additional Information
----------------------
A more detailed analysis is available on http://www.icysilence.org