Thanks for reporting this bug and helping make Ubuntu better. Sorry we
don't always have the resources to get to every bug report. Ubuntu 10.04
is no longer supported so I'm going to close the bug.
** Changed in: pidgin (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pidgin in Ubuntu.
https://bugs.launchpad.net/bugs/886576
Title:
pidgin crashes upon attempts to receive video calls over XMPP
Status in pidgin package in Ubuntu:
Fix Released
Bug description:
Description: Ubuntu 10.04.3 LTS
Release: 10.04
pidgin:
Installed: 1:2.6.6-1ubuntu4.3
Candidate: 1:2.6.6-1ubuntu4.3
Version table:
*** 1:2.6.6-1ubuntu4.3 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
100 /var/lib/dpkg/status
1:2.6.6-1ubuntu4.1 0
500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
1:2.6.6-1ubuntu4 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
pidgin crashes upon attempts to receive video calls over XMPP - If
video calls fail, or are not supported, pidgin should report an error
- it should *not* crash.
This bug was found in pidgin 2.6.6 under Ubuntu 10.04 (Lucid Lynx), an
LTS release. I confirm that the bug is fixed in pidgin 2.10.0 I do
not know exactly when this bug was fixed, but it is in fact fixed in
later pidgin releases... Ubuntu should please upgrade the pidgin
version in the 10.04 LTS release. I, personally, will simply upgrade
my copy of pidgin.
I consider this a security vulnerability, because it causes the pidgin
process to terminate. On my system, some other services depend on
pidgin to run. A malicious user can destroy the function of *my*
server by taking advantage of this bug.
It's very easy to reproduce: Log into a gtalk account in pidgin via
XMPP. Log into a different gtalk account via gmail's www interface.
From the www interface, attempt a video call to the other gtalk
account logged into pidgin. (www is the caller, pidgin is the
receiver)
Here is a backtrace of the issue occurring.
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/pidgin...Reading symbols from
/usr/lib/debug/usr/bin/pidgin...done.
done.
(gdb) handle SIGPIPE nostop noprint
Signal Stop Print Pass to program Description
SIGPIPE No No Yes Broken pipe
(gdb) run
Starting program: /usr/bin/pidgin
[Thread debugging using libthread_db enabled]
Xlib: extension "RANDR" missing on display ":0.0".
[New Thread 0x7fffe038d700 (LWP 24171)]
Program received signal SIGSEGV, Segmentation fault.
0x00007fffdedacad4 in jingle_transport_parse (transport=0x16beba0)
at
/build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jingle/transport.c:169
169
/build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jingle/transport.c: No
such file or directory.
in /build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jingle/transport.c
(gdb) bt full
#0 0x00007fffdedacad4 in jingle_transport_parse (transport=0x16beba0)
at
/build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jingle/transport.c:169
type = 0x16e80c0 "http://www.google.com/transport/p2p";
#1 0x00007fffdeda794b in jingle_content_parse_internal (content=0x16753f0)
at
/build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jingle/content.c:386
description = <value optimized out>
type = 0x14bd170 "urn:xmpp:jingle:apps:rtp:1"
creator = 0x16e9870 "initiator"
disposition = 0x0
senders = 0x0
name = 0x16e97b0 "video"
transport = <value optimized out>
#2 0x00007fffdedaa9b3 in jingle_rtp_parse_internal (rtp=0x16beba0)
at
/build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jingle/rtp.c:675
content = <value optimized out>
description = <value optimized out>
media_type = <value optimized out>
ssrc = <value optimized out>
#3 0x00007fffdeda6bd3 in jingle_handle_session_initiate (session=0x14f2060,
jingle=0x8a05a0)
at
/build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jingle/jingle.c:227
parsed_content = 0x0
content = <value optimized out>
#4 0x00007fffdeda61f8 in jabber_process_packet (js=0x14fd730,
packet=<value optimized out>)
at /build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jabber.c:269
xmlns = <value optimized out>
#5 0x00007fffdedb0d57 in jabber_parser_element_end_libxml (
user_data=0x16beba0, element_name=<value optimized out>, prefix=0x0,
namespace=0x7ffff7fbe7e0 "\340\347\373\367\377\177")
at /build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/parser.c:142
packet = 0x0
#6 0x00007ffff4077de3 in xmlParseEndTag2 (ctxt=0x14d4a20, prefix=0x0,
URI=0x14d8ca7 "jabber:client", line=0, nsNr=0, tlen=<value optimized out>)
at parser.c:9216
name = 0x1 <Address 0x1 out of bounds>
#7 0x00007ffff4084529 in xmlParseTryOrFinish (ctxt=0x14d4a20, terminate=0)
at parser.c:11018
ret = 0
avail = 5
tlen = 9
cur = <value optimized out>
next = <value optimized out>
lastlt = 0x14d6a03 "</iq>"
lastgt = 0x14d6a07 ">"
#8 0x00007ffff4085c8c in xmlParseChunk__internal_alias (ctxt=0x14d4a20,
chunk=0x7fffdefd0c40
"http://www.google.com/session/phone\"/><pho:payload-type id=\"8\"
name=\"PCMA\" bitrate=\"64000\" clockrate=\"8000\"
xmlns:pho=\"http://www.google.com/session/phone\"/><pho:payload-type id=\"117\"
name=\"red\" clock"..., size=788, terminate=0) at parser.c:11602
end_in_lf = 0
remain = 0
#9 0x00007fffdedb0afd in jabber_parser_process (js=0x14fd730, buf=0x0, len=0)
at /build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/parser.c:252
ret = <value optimized out>
#10 0x00007fffdeda53a2 in jabber_recv_cb_ssl (data=0x14fc900, gsc=0xbb8600,
cond=<value optimized out>)
at /build/buildd/pidgin-2.6.6/./libpurple/protocols/jabber/jabber.c:551
js = 0x14fd730
len = 788
buf = "http://www.google.com/session/phone\"/><pho:payload-type
id=\"8\" name=\"PCMA\" bitrate=\"64000\" clockrate=\"8000\"
xmlns:pho=\"http://www.google.com/session/phone\"/><pho:payload-type id=\"117\"
name=\"red\" clock"...
#11 0x000000000046ea9e in pidgin_io_invoke (source=<value optimized out>,
condition=<value optimized out>, data=<value optimized out>)
at /build/buildd/pidgin-2.6.6/./pidgin/gtkeventloop.c:78
closure = 0xbffbb0
purple_cond = PURPLE_INPUT_READ
#12 0x00007ffff4e728c2 in g_main_dispatch (context=0x6f7450)
at /build/buildd/glib2.0-2.24.1/glib/gmain.c:1960
dispatch = 0x7ffff4eb4e10 <g_io_unix_dispatch>
user_data = 0xbffbb0
callback = 0x46ea60 <pidgin_io_invoke>
cb_funcs = 0x7ffff5110610
cb_data = 0x14feea0
current_source_link = {data = 0x14d5180, next = 0x0}
source = 0x14d5180
current = 0xdfa8b0
i = 0
#13 IA__g_main_context_dispatch (context=0x6f7450)
at /build/buildd/glib2.0-2.24.1/glib/gmain.c:2513
No locals.
#14 0x00007ffff4e76748 in g_main_context_iterate (context=0x6f7450,
block=<value optimized out>, dispatch=<value optimized out>,
self=<value optimized out>)
at /build/buildd/glib2.0-2.24.1/glib/gmain.c:2591
max_priority = 2147483647
timeout = 774
some_ready = 1
nfds = 15
allocated_nfds = -186108336
fds = <value optimized out>
__PRETTY_FUNCTION__ = "g_main_context_iterate"
#15 0x00007ffff4e76c55 in IA__g_main_loop_run (loop=0x14fde10)
at /build/buildd/glib2.0-2.24.1/glib/gmain.c:2799
self = 0x6ee010
__PRETTY_FUNCTION__ = "IA__g_main_loop_run"
#16 0x00007ffff6251bb7 in IA__gtk_main ()
at /build/buildd/gtk+2.0-2.20.1/gtk/gtkmain.c:1219
tmp_list = 0x714ea0
functions = 0x0
init = 0x0
loop = <value optimized out>
#17 0x000000000048675f in main (argc=1, argv=0x7fffffffe288)
at /build/buildd/pidgin-2.6.6/./pidgin/gtkmain.c:977
opt_force_online = 0
opt_help = <value optimized out>
opt_login = 0
opt_nologin = 0
opt_version = -16040
opt_si = 1
opt_config_dir_arg = <value optimized out>
opt_login_arg = 0x0
opt_session_arg = 0x0
accounts = <value optimized out>
sigset = {__val = {81927, 0 <repeats 15 times>}}
prev_sig_disp = <value optimized out>
errmsg =
"\005\000\000\000\000\000\000\000\244\355\061\365\377\177\000\000\360\302\377\377\377\177\000\000\"\232\336\367\377\177\000\000\000\000\000\000\000\000\000\000\206\271\336\367\377\177\000\000\270\337\377\367\377\177\000\000(\340\377\377\377\177\000\000\060\340\377\377\377\177\000\000h_1\365\377\177\000\000ت\374\367\377\177\000\000\002\242\336\367\377\177\000\000\200\251\377\367\377\177\000\000\270\064\375\367\377\177\000\000\330D\375\367\377\177\000\000x\245\374\367\377\177\000\000\000\060\375\367\377\177\000\000\000\000\000\000\000\000\000\000\005\000\000\000\000\000\000\000\244\355\061\365\377\177\000\000\360\302\377\377\377\177\000\000\000\000
\203\377\377\377\377\000\000\326r\275\357\377\377\250Y\375\367\377\177\000\000\004\000\000\000\000\000\000\000\227\355\061\365\377\177\000\000\360\302\377\377\377\177\000\000\000\000\200\203\377\377\377\377\000\000\326r\275\357\377\377\000`
\000\000\000\000\000\270P \000\000\000\000\000\350P
\000\000\000\000\000\000@\000\000\000\000\000\000\003\000\000\000\000\000\000\000\000\020
\000\000\000\000\000\000\060 \000\000\000\000\000h
\000\000\000\000\000\000\340\377\377\377\177\000\000p\340\377\377\377\177\000\000\310T\375\367\377\177"...
signal_channel = <value optimized out>
signal_status = <value optimized out>
error = 0x0
opt = <value optimized out>
gui_check = <value optimized out>
debug_enabled = 0
migration_failed = <value optimized out>
active_accounts = <value optimized out>
long_options = {{name = 0x4d30c2 "config", has_arg = 1, flag = 0x0,
val = 99}, {name = 0x4be354 "debug", has_arg = 0, flag = 0x0,
val = 100}, {name = 0x4ce63b "force-online", has_arg = 0,
flag = 0x0, val = 100}, {name = 0x4c1744 "help", has_arg = 0,
flag = 0x0, val = 104}, {name = 0x4ce405 "login", has_arg = 2,
flag = 0x0, val = 108}, {name = 0x4ce648 "multiple", has_arg = 0,
flag = 0x0, val = 109}, {name = 0x4ce651 "nologin", has_arg = 0,
flag = 0x0, val = 110}, {name = 0x4d30b8 "session", has_arg = 1,
flag = 0x0, val = 115}, {name = 0x4c4b43 "version", has_arg = 0,
flag = 0x0, val = 118}, {name = 0x4d30cb "display", has_arg = 1,
flag = 0x0, val = 68}, {name = 0x4ce659 "sync", has_arg = 0,
flag = 0x0, val = 83}, {name = 0x0, has_arg = 0, flag = 0x0,
val = 0}}
(gdb) quit
A debugging session is active.
Inferior 1 [process 24168] will be killed.
Quit anyway? (y or n)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/886576/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
