xorl %eax, %eax

CVE-2012-2369: pidgin-otr Log Message Format String

leave a comment »

The issue was discovered by intrigeri as we can see in this email at oss-security mailing list. Additionally, from the website of the project we can learn that this does not affect other applications using libotr. Here is the vulnerable code as seen in otr-plugin.c.

static void log_message_cb(void *opdata, const char *message)
{
    purple_debug_info("otr", message);
}

Where purple_debug_info() is defined with the following prototype.

void void void purple_debug_info (const char * category,
				  const char * 	format,
				  ...	 
				 )

And of course, this means that the way this is called in log_message_cb() is insecure since there is no format string specifier resulting to a classic format string vulnerability.

The fix was to add the missing specifier with the below patch.

static void log_message_cb(void *opdata, const char *message)
{
-    purple_debug_info("otr", message);
+    purple_debug_info("otr", "%s", message);
}

Written by xorl

May 18, 2012 at 10:02

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s