pidgin/nest

Update the changelog for the 2.14.7 release
default tip
6 days ago, Gary Kramlich
d040bee36d7c
Update the changelog for the 2.14.7 release

Testing Done:
None

Reviewed at https://reviews.imfreedom.org/r/928/
---
title: cve-2004-0754-00
date: 2004-08-26T00:00:00.000Z
cveNumber: cve-2004-0754
summary: Groupware message receive integer overflow
discoveredBy: Sean (infamous42md)
fixedInRelease: 0.82
fixedInRevision:
hidden: true
type: security
layout: cve
---
### Description
Integer overflow in memory allocation results in heap overflow. By passing the
size variable as `~0`, integer overflows to 0 when 1 is added in `g_alloc()`.
A `malloc(0)` call results in 16 bytes of memory being allocated on IA- 32.
Then we can overflow the heap when `nm_read_all()` is called next step.
Usually cases like this suck for exploitation, because the len (`~0`) is so
large that a following call to `memcpy()` or `strcpy()` will just run into
kernel mem or unmapped address and fault. However in this case we read the
data from the network via a `read()` call, so we can just stop sending data and
close the connection to short out before `~0` bytes are read. However, this is
triggered by input from the server, not directly from a client. Someone
running a malicious groupware server could leverage this to run arbitrary code
on the client.
### Mitigation
Bounds checking was added.