A exploitable denial of service vulnerability exists in Pidgin’s implem ntation of the MSN Messenger protocol in the libpurple library. An attacker who can control the contents of a MSN message cause a string search function to return a NULL pointer which is later dereferenced without validation.
Pidgin 2.10.7
In file libpurple/protocols/msn/msg.c at line 199 in function msnmessageparsepayload(), the following code exists:
if ((cur == ' ') || (cur == '\t')) {
tokens = gstrsplit(g_strchug(*cur), "=\"", 2);
key = tokens[0];
value = tokens[1];
/* The only one I care about is 'boundary' (which is folded from
the key 'Content-Type'), so only process that. */
if (!strcmp(key, "boundary")) {
char *end = strchr(value, '\"');
*end = '\0';
If a message contains ‘boundary = “value’ (i.e. without a closing quote) then the strchr function call at line 199 will return NULL. This NULL pointer is dereferenced on the following line, resulting in program termination.
Yves Younan of Sourcefire VRT
This vulnerability has not been disclosed and cannot be viewed at this time.