but no closing

From mmholt at gmail.com Tue Jun 1 08:54:50 2010 From: mmholt at gmail.com (Mary Holt) Date: Tue, 1 Jun 2010 07:54:50 -0500 Subject: pidgin-2.7.1.exe Message-ID: pidgin-2.7.1.exe triggered my Spybot S+D, which said it carried Win32.FraudLoad. -- Mary Holt mmholt at gmail.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From daniel.atallah at gmail.com Tue Jun 1 10:32:15 2010 From: daniel.atallah at gmail.com (Daniel Atallah) Date: Tue, 1 Jun 2010 10:32:15 -0400 Subject: pidgin-2.7.1.exe In-Reply-To: References: Message-ID: On Tue, Jun 1, 2010 at 08:54, Mary Holt wrote: > pidgin-2.7.1.exe triggered my Spybot S+D, which said it carried > Win32.FraudLoad. This is a false positive. See http://virusscan.jotti.org/en/scanresult/383b5b72735de5d987983eeaf3eb037e5182d301 We've had this happen before where some detection utilities misidentify the NSIS installer as malware because some malware uses it. Unfortunately, there isn't a lot we can do about it. If Spybot has a mechanism for reporting false positives, please do so. Thanks, -Daniel From mark at kingant.net Fri Jun 18 21:18:47 2010 From: mark at kingant.net (Mark Doliner) Date: Fri, 18 Jun 2010 18:18:47 -0700 Subject: Remotely-triggerable crash in oscar xstatus code Message-ID: I believe I found a security problem (frowny face). I'm going out of town Sunday through July 4th and will have limited Internet access. After someone confirms this problem and confirms that the attached patch is a good fix, would anyone be willing to contact the packagers list, provide this info, and request a CVE number? I do not believe this bug is known in the wild, so maybe we can set an embargo date around July 10th? I'm fine with making that soon or later. As always, please do not disclose this information to the public unless we have released fixed source and binary packages. Full description: This patch attempts to fix four bugs in the oscar protocol plugin that were introduced with the X-Status code in Pidgin 2.7.0. Problem #1 (the remotely-triggerable crash): The crash happens when a buddy sets an xstatus message containing but no closing , or but no closing . The fix is to check the result of strstr(closing_tag_name) and do nothing if it is NULL. Problem #2: Fixes potential incorrect parsing of the xstatus string that could result in an incorrect message being displayed to the libpurple user. Happens if an xstatus message contains before , or before . The fix is to start looking for the closing tag at the end of the beginning tag rather than at the beginning of the xstatus xml. Probably not a security problem, but definitely a bug. Problem #3: Fixes potential incorrect parsing of the xstatus string that could result in the title not being shown to the libpurple user. Happens if the close title tag appears after the desc tag in the xstatus xml, because we add a null character at the beginning of the close title tag, so strstr() for the desc tag would stop searching there. Probably not a security problem, but definitely a bug. Problem #4: Fixes potential incorrect display of the xstatus string that could result in an incorrect message being displayed to the libpurple user. Happens because we reusing the 'xml' string when preparing the string for the user, but we copy values from xml to xml. If those values overlap with themselves or with each other then an incorrect value could be displayed. Probably not a security problem, but definitely a bug. --Mark -------------- next part -------------- A non-text attachment was scrubbed... Name: oscar_xstatus_remote_crash_fix_1.diff Type: text/x-patch Size: 4715 bytes Desc: not available URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100618/cc1da370/attachment.bin> From rekkanoryo at rekkanoryo.org Wed Jun 23 01:53:29 2010 From: rekkanoryo at rekkanoryo.org (John Bailey) Date: Wed, 23 Jun 2010 01:53:29 -0400 Subject: Remotely-triggerable crash in oscar xstatus code In-Reply-To: <AANLkTimGqBN4IjFssnKERK1tKDC1Cgd_MmPQuBQaEq29@mail.gmail.com> References: <AANLkTimGqBN4IjFssnKERK1tKDC1Cgd_MmPQuBQaEq29@mail.gmail.com> Message-ID: <4C21A159.1050901@rekkanoryo.org> On 06/18/2010 09:18 PM, Mark Doliner wrote: > Problem #1 (the remotely-triggerable crash): > The crash happens when a buddy sets an xstatus message containing <desc> > but no closing </desc>, or <title> but no closing . The fix > is to check the result of strstr(closing_tag_name) and do nothing if it > is NULL. I haven't produced this crash, but seeing the old code and your patch, it's pretty obvious this would crash. The fix looks correct. As for the other problems, I'm less concerned about them. That said, although I'm no expert on this OSCAR stuff (hey, isn't that your department? :-P ), the rest of the patch looks reasonable enough to me. The code compiles and runs. My vote is to proceed. John -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: OpenPGP digital signature URL: From BabbRuthie at ccsr.qc.ca Thu Jun 24 15:36:52 2010 From: BabbRuthie at ccsr.qc.ca (presto Hoyt) Date: Thu, 24 Jun 2010 15:36:52 -0400 Subject: I have a list of 5 million New businesses in the USA Message-ID: <8facc315-8ff4-46a8-b068-009ae549f035@p3tg2k3svr01.ximand.com> We have many package deals on sale this week, here is one: Veterinarians - 78,986 total records with 1,438 emails and 1,050 fax numbers National Health Service Corp Clinics - 1,300 total records with emails for government run free clinics Medical Equipment Suppliers - 167,425 total records with 6,940 emails and 5,812 fax numbers Optometrists - 63,837 records 2,015 emails All complete lists above: $299 There are more packages and not just for healthcare contact me here for more info or to get samples: supremelists at gmx.com email takemeoff at gmx.com for delisting