[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 14:48:46 EDT 2012 

#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by ioerror):

 Replying to [comment:18 datallah]:
 > Replying to [comment:15 ioerror]:
 > > Ok, so, I hacked up a simple way to get the Ubuntu pidgin to send a
 malformed png to the Windows pidgin:
 > <SNIP>
 > > Now the server hasn't parsed the images and so it has no idea that
 I've loaded a malformed image into my icon. It returns it to the
 requesting user as expected:
 > {{{
 > > (02:45:38) jabber: Recv (ssl)(4095): <iq from='xxx at jabber.ccc.de'
 to='yyy at jabber.ccc.de/pidgin-wine-otr' id='purplec1ab1726'
 type='result'><vCard xmlns='vcard-temp'>
 > <SNIP>
 > > (02:45:38) util: Writing file C:\users\xxx\Application
 Data\.purple\icons\190831cd1b33ca2b5906e3f7e2701df96f4271a1.png
 > > (02:45:38) gtkutils: gdk_pixbuf_loader_write() failed with size=6921:
 Fatal error reading PNG image file: Decompression Error
 > > (02:45:38) gtkblist: Couldn't load buddy icon on account
 yyy at jabber.ccc.de (prpl-jabber)  buddyname=xxx at jabber.ccc.de
 custom_img_data=00000000
 > > (02:45:38) gtkutils: gdk_pixbuf_loader_write() failed with size=6921:
 Fatal error reading PNG image file: Decompression Error
 > > (02:45:38) gtkblist: Couldn't load buddy icon on account
 yyy at jabber.ccc.de (prpl-jabber)  buddyname=xxx at jabber.ccc.de
 custom_img_data=00000000
 > > (02:45:38) buddyicon: Deleted cache file: C:\users\xxx\Application
 Data\.purple\icons\c3399a8e9f4fbf8c151d3e0f32024ca40074c9cc.png
 > > (02:45:38) jabber: Recv (ssl)(174): <iq from='xxx at jabber.ccc.de/ccc'
 to='yyy at jabber.ccc.de' type='result' id='purplec1ab1727'><query
 xmlns='jabber:iq:last' seconds='0'/></iq>
 > > (02:45:38) imgstore: retrieved image id 4
 > > (02:45:38) gtkutils: gdk_pixbuf_loader_write() failed with size=6921:
 Fatal error reading PNG image file: Decompression Error
 > > (02:45:38) imgstore: retrieved image id 4
 > }}}
 >
 > This is similar to above; the gdk-pixbuf writer can't handle the
 malformed image, but it isn't really a problem, it's just telling you that
 it can't handle it.

 Well, I'm not sure it's not a problem, I found this published in 2010(!)
 and it generates the malformed PNGs in question:
 http://www.exploit-db.com/exploits/14422

 The fact that I can totally take pidgin down with those png files leads me
 to believe that it is just a matter of working at it, as opposed to it not
 being used at all or that it "might" be a problem.

 >
 > <SNIP>
 >
 > > When I start a chat properly from the Windows pidgin to the Ubuntu
 Pidgin, I see the following in the Windows debug log, it is repeated over
 and over:
 > <SNIP>
 >
 > Again, not really a problem.

 If the image has already caused an error, I guess it shouldn't be re-
 parsed over and over again, especially if it caused some heap or stack
 corruption each time.

 >
 > > It seems that I can indeed reach the remote png parser as expected.
 Isn't that the libpng png parser?
 >
 > Yes, it is reaching gdk-pixbuf and libpng; this wasn't really ever in
 doubt.
 >

 You originally wrote this and it is why I was erasing any doubt:
 ''
 "If you read my comments, I already explained why this is not critical.
 Just because a potential vulnerability exists in a particular library
 doesn't mean that it's possible to run into it our use case."
 ''

 OK, well, I think we now both agree that it is possible; I'd like to
 suggest that it is critical to update GTK.


 > Like I said, it is likely that the libpng issues are a potential
 problem, there isn't really any need to do further investigation.

 It's clearly a problem. I realize it's a pain to update GTK but I think
 all of the Windows users are seriously vulnerable and have been for a
 ''ridiculous'' amount of time.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:22>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list