CVE-2016-2365
A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash.
5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Pidgin 2.10.11
https://www.pidgin.im/
When handling markup commands there are insufficient checks to validate that all required fields have been provided to successfully execute the command, potentially resulting in a null pointer dereference when trying to use those values.
When a command is received in a message, the function mxit_parse_command() is called. This function is defined at line 562 in the file mxit/formcmds.c.
This function excepts to find values in the key=value format and will insert these pairs into a hashtable:
hash = command_tokenize(start); /* break into <key,value> pairs */
It will then check what type of command it is dealing with and will call the appropriate function.
Two functions in particular will rely on key/value pairs that, if not defined, will cause a null pointer dereference.
The first function is command_imagestrip(), defined at line 383 in mxit/formcmds.c:
At lines 393-399 it will look up the values of the keys nm, v and dat:
/* image strip name */
name = g_hash_table_lookup(hash, "nm");
/* validator */
validator = g_hash_table_lookup(hash, "v");
/* image data */
tmp = g_hash_table_lookup(hash, "dat");
While there is a check at line 400 to ensure that tmp is not NULL, there are no similar checks for name and validator. This will cause a null pointer dereference when they are used at lines 419 and 420:
escname = g_strdup(purple_escape_filename(name));
escvalidator = g_strdup(purple_escape_filename(validator));
The keys fw, fh and layer have similar errors at lines 432-439:
tmp = g_hash_table_lookup(hash, "fw");
width = atoi(tmp);
tmp = g_hash_table_lookup(hash, "fh");
height = atoi(tmp);
tmp = g_hash_table_lookup(hash, "layer");
layer = atoi(tmp);
Similar errors also occur in the function command_table() defined in mxit/formcmds.c at lines 530-543:
tmp = g_hash_table_lookup(hash, "col");
nr_columns = atoi(tmp);
/* number of rows */
tmp = g_hash_table_lookup(hash, "row");
nr_rows = atoi(tmp);
/* mode */
tmp = g_hash_table_lookup(hash, "mode");
mode = atoi(tmp);
/* table data */
tmp = g_hash_table_lookup(hash, "d");
coldata = g_strsplit(tmp, "~", 0);
If any of these key/value pairs are missing, a crash will ensue.
2016-04-13 - Vendor Notification
2016-06-21 - Public Disclosure
Discovered by Yves Younan of Cisco Talos.