Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
pidgin
pidgin-CVE-2014-3696
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File pidgin-CVE-2014-3696 of Package pidgin
# HG changeset patch # User Mark Doliner <mark@kingant.net> # Date 1396942285 25200 # Tue Apr 08 00:31:25 2014 -0700 # Branch release-2.x.y # Node ID 44fd8915877754d378f859dae73b64b39d4e7cb0 # Parent 6436e14bdb9d997dfd73cc7cea1b300c37fa401d In Novell Groupwise, fix potential remote crash parsing server message that indicates that a large amount of memory should be allocated. I added arbitrary max size checks that are hopefully larger than any real expected value. It was kinda weird that the existing check on checked MAXINT. We'll want to request a CVE ID for this. Discovered by Yves Younan and Richard Johnson of Sourcefire VRT diff -r 6436e14bdb9d -r 44fd89158777 libpurple/protocols/novell/nmevent.c --- a/libpurple/protocols/novell/nmevent.c Mon Apr 07 23:45:55 2014 -0700 +++ b/libpurple/protocols/novell/nmevent.c Tue Apr 08 00:31:25 2014 -0700 @@ -149,7 +149,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -164,7 +164,7 @@ /* Read the message text */ if (rc == NM_OK) { rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 100000) return NMERR_PROTOCOL; if (rc == NM_OK) { msg = g_new0(char, size + 1); @@ -270,7 +270,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -280,7 +280,7 @@ /* Read the the message */ if (rc == NM_OK) { rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 100000) return NMERR_PROTOCOL; if (rc == NM_OK) { msg = g_new0(char, size + 1); @@ -349,7 +349,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -401,7 +401,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -440,7 +440,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -490,7 +490,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -530,7 +530,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -589,7 +589,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -632,7 +632,7 @@ /* Read the status text */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 10000) return NMERR_PROTOCOL; if (rc == NM_OK) { text = g_new0(char, size + 1); @@ -670,7 +670,7 @@ /* Read the conference guid */ rc = nm_read_uint32(conn, &size); - if (size == MAX_UINT32) return NMERR_PROTOCOL; + if (size > 1000) return NMERR_PROTOCOL; if (rc == NM_OK) { guid = g_new0(char, size + 1); @@ -833,7 +833,10 @@ /* Read the event source */ rc = nm_read_uint32(conn, &size); if (rc == NM_OK) { - if (size > 0) { + if (size > 1000000) { + /* Size is larger than our 1MB sanity check. Ignore it. */ + rc = NMERR_PROTOCOL; + } else { source = g_new0(char, size); rc = nm_read_all(conn, source, size);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor