### DESCRIPTION A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash. ### CVSSv3 SCORE 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ### TESTED VERSIONS Pidgin 2.10.11 ### PRODUCT URLs https://www.pidgin.im/ ### DETAILS When handling markup commands there are insufficient checks to validate that all required fields have been provided to successfully execute the command, potentially resulting in a null pointer dereference when trying to use those values. When a command is received in a message, the function mxitparsecommand() is called. This function is defined at line 562 in the file mxit/formcmds.c. This function excepts to find values in the key=value format and will insert these pairs into a hashtable:...
### DESCRIPTION A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data to trigger this vulnerability and cause a crash. ### CVSSv3 SCORE 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ### TESTED VERSIONS Pidgin 2.10.11 ### PRODUCT URLs https://www.pidgin.im/ ### DETAILS When handling markup commands there are insufficient checks to validate that all required fields have been provided to successfully execute the command, potentially resulting in a null pointer dereference when trying to use those values. When a command is received in a message, the function mxitparsecommand() is called. This function is defined at line 562 in the file mxit/formcmds.c. This function excepts to find values in the key=value format and will insert these pairs into a hashtable: ``` hash = command_tokenize(start); /* break into <key,value> pairs */ ``` It will then check what type of command it is dealing with and will call the appropriate function. Two functions in particular will rely on key/value pairs that, if not defined, will cause a null pointer dereference. The first function is command_imagestrip(), defined at line 383 in mxit/formcmds.c: At lines 393-399 it will look up the values of the keys nm, v and dat: ``` /* image strip name */ name = g_hash_table_lookup(hash, "nm"); /* validator */ validator = g_hash_table_lookup(hash, "v"); /* image data */ tmp = g_hash_table_lookup(hash, "dat"); ``` While there is a check at line 400 to ensure that tmp is not NULL, there are no similar checks for name and validator. This will cause a null pointer dereference when they are used at lines 419 and 420: ``` escname = g_strdup(purple_escape_filename(name)); escvalidator = g_strdup(purple_escape_filename(validator)); ``` The keys fw, fh and layer have similar errors at lines 432-439: ``` tmp = g_hash_table_lookup(hash, "fw"); width = atoi(tmp); tmp = g_hash_table_lookup(hash, "fh"); height = atoi(tmp); tmp = g_hash_table_lookup(hash, "layer"); layer = atoi(tmp); ``` Similar errors also occur in the function command_table() defined in mxit/formcmds.c at lines 530-543: ``` tmp = g_hash_table_lookup(hash, "col"); nr_columns = atoi(tmp); /* number of rows */ tmp = g_hash_table_lookup(hash, "row"); nr_rows = atoi(tmp); /* mode */ tmp = g_hash_table_lookup(hash, "mode"); mode = atoi(tmp); /* table data */ tmp = g_hash_table_lookup(hash, "d"); coldata = g_strsplit(tmp, "~", 0); ``` If any of these key/value pairs are missing, a crash will ensue. ### TIMELINE * 2016-04-13 - Vendor Notification * 2016-06-21 - Public Disclosure
