CVE-2012-2369: pidgin-otr Log Message Format String

The issue was discovered by intrigeri as we can see in this email at oss-security mailing list. Additionally, from the website of the project we can learn that this does not affect other applications using libotr. Here is the vulnerable code as seen in otr-plugin.c.

static void log_message_cb(void *opdata, const char *message)
{
    purple_debug_info("otr", message);
}

Where purple_debug_info() is defined with the following prototype.

void void void purple_debug_info (const char * category,
				  const char * 	format,
				  ...	 
				 )

And of course, this means that the way this is called in log_message_cb() is insecure since there is no format string specifier resulting to a classic format string vulnerability.

The fix was to add the missing specifier with the below patch.

static void log_message_cb(void *opdata, const char *message)
{
-    purple_debug_info("otr", message);
+    purple_debug_info("otr", "%s", message);
}

Written by xorl

May 18, 2012 at 10:02

Posted in vulnerabilities

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

xorl %eax, %eax