#1281 closed defect (fixed)

bitlbee-libpurple: Use after free when expiring file transfer requests

Reported by: dx Owned by:
Priority: normal Milestone:
Component: Unspecified / other Version: Unspecified
Keywords: Cc:
IRC client+version: Client-independent Operating System: Other
OS version/distro:

Description (last modified by dx)


Pending file transfer requests expire after 120 seconds, which may result in use after free if the corresponding account is disconnected. A malicious remote server could force this disconnection.

CVE-2016-10188 has been assigned for this issue.


This results in denial of service (remote crash of the BitlBee instance), or remote code execution (theoretically).

For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect.

  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
  • Exploitability: Functional Exploit Exists
  • Remediation Level: Official Fix
  • Report Confidence: Confirmed
  • Target Distribution: Medium
  • CVSS v2 score: 1.6

Affected versions

bitlbee-libpurple 3.4.2 or older

Unaffected versions

bitlbee (non-libpurple builds), any version

bitlbee-libpurple 3.5


  • Upgrade to 3.5 (released 2017-01-08)
  • For 3.4.2 see the attached


  • For 3.4.1 and 3.4 see the attached


  • For earlier versions upgrading is strongly recommended because of

the amount of accumulated bugfixes, but the following line may be removed from protocols/purple/purple.c to prevent any processing of incoming file transfers:



This affects any libpurple protocol when used through BitlBee. It does not affect other libpurple-based clients such as pidgin.

This is a very visible issue - all file transfer request attempts and all disconnections will be logged in the control channel and visible by the targeted user. File transfer requests look like this:

<@root> [account] - File transfer request from [username] for
[filename] (0 kb).
<@root> Accept the file transfer if you'd like the file. If you
don't, issue the 'transfer reject' command.

Cancelling the file transfer request using the "transfer reject" command before the disconnection happens can prevent this. However, using that command after the account is disconnected will result in an immediate crash.


CVE-2016-10188: Original bugfix commit:

Change History (5)

comment:1 Changed at 2017-01-30T18:05:21Z by dx

Description: modified (diff)
Resolution: fixed
Status: newclosed
Summary: [reserved]bitlbee-libpurple: Use after free when expiring file transfer requests

Made public.

comment:2 Changed at 2017-01-30T18:24:59Z by dx

Description: modified (diff)

Added attachment links, fixed code block formatting.

comment:3 Changed at 2017-01-31T15:48:12Z by dx

Description: modified (diff)

CVE-2016-10188 has been assigned for this issue

Modify Ticket

as closed The ticket will remain with no owner.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.