pidgin/pidgin

Merged TALOS-CAN-0141
release-2.x.y
2016-06-12, Gary Kramlich
34d56e0586c4
Parents 048d46315e912551d02deb50
Children 8943e2d16d5a
Merged TALOS-CAN-0141
3 files changed, 22 insertions(+), 6 deletions(-)
  • +2 -0
    ChangeLog
  • +20 -2
    libpurple/protocols/mxit/protocol.c
  • +0 -4
    libpurple/protocols/mxit/roster.c
    • --- a/ChangeLog Sun Jun 12 22:22:06 2016 -0500
    +++ b/ChangeLog Sun Jun 12 22:26:39 2016 -0500
    @@ -39,6 +39,8 @@
    Cisco Talos (TALOS-CAN-0137)
    * Fixed a remote code execution issue discovered by Yves Younan of Cisco
    Talos. (TALOS-CAN-0142)
    + * Fixed a remote denial of service vulnerability in contact mood
    + handling. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0141)
    version 2.10.12 (12/31/15):
    General:
    --- a/libpurple/protocols/mxit/protocol.c Sun Jun 12 22:22:06 2016 -0500
    +++ b/libpurple/protocols/mxit/protocol.c Sun Jun 12 22:26:39 2016 -0500
    @@ -1694,6 +1694,24 @@
    /*------------------------------------------------------------------------
    + * Parse the received mood value, and ensure that it is supported.
    + *
    + * @param value The received mood value.
    + * @return A valid mood value.
    + */
    +static short mxit_parse_mood( const char* value )
    +{
    + short mood = atoi( value );
    +
    + /* ensure that the mood value is valid */
    + if ( ( mood >= MXIT_MOOD_NONE ) && ( mood <= MXIT_MOOD_STRESSED ) )
    + return mood;
    +
    + return MXIT_MOOD_NONE;
    +}
    +
    +
    +/*------------------------------------------------------------------------
    * Process a received contact update packet.
    *
    * @param session The MXit session object
    @@ -1726,7 +1744,7 @@
    contact->presence = mxit_parse_presence( rec->fields[3]->data );
    contact->type = atoi( rec->fields[4]->data );
    - contact->mood = atoi( rec->fields[5]->data );
    + contact->mood = mxit_parse_mood( rec->fields[5]->data );
    if ( rec->fcount > 6 ) {
    /* added in protocol 5.9 - flags & subtype */
    @@ -1783,7 +1801,7 @@
    if ( rec->fcount >= 7 ) /* flags field is included */
    flags = atoi( rec->fields[6]->data );
    - mxit_update_buddy_presence( session, rec->fields[0]->data, mxit_parse_presence( rec->fields[1]->data ), atoi( rec->fields[2]->data ),
    + mxit_update_buddy_presence( session, rec->fields[0]->data, mxit_parse_presence( rec->fields[1]->data ), mxit_parse_mood( rec->fields[2]->data ),
    rec->fields[3]->data, rec->fields[4]->data, flags );
    mxit_update_buddy_avatar( session, rec->fields[0]->data, rec->fields[5]->data );
    }
    --- a/libpurple/protocols/mxit/roster.c Sun Jun 12 22:22:06 2016 -0500
    +++ b/libpurple/protocols/mxit/roster.c Sun Jun 12 22:26:39 2016 -0500
    @@ -473,10 +473,6 @@
    contact->mood = mood;
    contact->capabilities = flags;
    - /* validate mood */
    - if ( ( contact->mood < MXIT_MOOD_NONE ) || ( contact->mood > MXIT_MOOD_STRESSED ) )
    - contact->mood = MXIT_MOOD_NONE;
    -
    g_strlcpy( contact->customMood, customMood, sizeof( contact->customMood ) );
    // TODO: Download custom mood frame.