[Secure-testing-team] Bug#843431: [pidgin-sipe] Possibly a use-after-free on a buffer in telepathy transport
Marcin Szewczyk
Marcin.Szewczyk at wodny.org
Sun Nov 6 15:51:09 UTC 2016
Package: pidgin-sipe
Version: 1.21.1-1
Severity: normal
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org
--- Please enter the report below this line. ---
Hi,
it looks like the code of both versions 1.18.2 (stable) and 1.21.1
(stretch, sid) may be doing a use-after-free.
g_output_stream_write_async() is called via the do_write() wrapper at:
http://sources.debian.net/src/pidgin-sipe/1.21.1-1/src/telepathy/telepathy-transport.c/?hl=448#L431
and the buffer is freed at the next line. Unfortunately, the
g_output_stream_write_async() documentation says: "Note that no copy of
buffer will be made, so it must stay valid until callback is called".
So I suppose g_free(buffer) should be called after the callback is
executed and not just after scheduling the write.
Sorry if I am mistaken, I am quite fresh to GLib and originally I wanted
to use that code to learn about GLib/GIO.
--- System information. ---
Architecture: amd64
Kernel: Linux 3.16.0-4-amd64
Debian Release: 8.6
500 stable security.debian.org
500 stable ftp.pl.debian.org
500 oldstable ftp.pl.debian.org
50 testing security.debian.org
50 testing ftp.pl.debian.org
100 jessie-backports ftp.pl.debian.org
--- Package information. ---
Package's Depends field is empty.
Package's Recommends field is empty.
Package's Suggests field is empty.
--
Marcin Szewczyk
http://wodny.org
More information about the Secure-testing-team
mailing list