Remote crash in gaim-text
lschiere at users.sf.net
Tue Mar 6 22:51:55 EST 2007
On Tue, Mar 06, 2007 at 02:09:52AM -0500, Mark Doliner wrote:
> On Sun, 25 Feb 2007 21:39:41 +1100, Richard Nelson wrote
> > I have a (possibly exaggerated) concern; revision f59170f3 fixes a
> > vulnerability (definitely remote crash, probably remote code
> > execution) that exists in gaim-text 2.0.0b6. It's very easy to
> > trigger (have a buddy change their name to a format string, while
> > you have the buddy list visible), and svn users/downstream don't
> > have the fix.
> I guess we should probably publicize this and get a CVE number and what not.
> Is there anyone that thinks we SHOULDN'T? Unless someone objects, wabz, do
> you think you could write up some info on the vulnerability? You can look at
> http://gaim.sourceforge.net/security/ for some examples. I think we need
> brief title, a summary, description, and description of the fix. (Title and
> summary are extremely similar... we should consider getting rid of one of those.)
> How does this sound: We check in a fix to MTN as soon as possible We hold
> off on checking a fix into Subversion so as to avoid people noticing the bug
> (unless the fix is already been checked in?). We wait to contact the CVE
> people until we have a firm release date, and we set the embargo date to be
> the same as the release date. Then we release Pidgin 2.0 containing the fixed
> version, as well as email a patch for Gaim 2.0.0 to the packagers mailing list.
> Luke, you've been in contact with the CVE people recently, right? When the
> time comes, would you want to handle coordinating with them on this?
I have been in touch with the CERT people. IIRC, it is Mitre that
handles CVE numbers, not CERT. There is a redhat person on -packagers
that has obtained CVE numbers for us in the past.
More information about the Cabal