Remote crash in gaim-text

Luke Schierer lschiere at
Tue Mar 6 22:51:55 EST 2007

On Tue, Mar 06, 2007 at 02:09:52AM -0500, Mark Doliner wrote:
> On Sun, 25 Feb 2007 21:39:41 +1100, Richard Nelson wrote
> > I have a (possibly exaggerated) concern; revision f59170f3 fixes a 
> > vulnerability (definitely remote crash, probably remote code 
> > execution) that exists in gaim-text 2.0.0b6. It's very easy to 
> > trigger (have a buddy change their name to a format string, while 
> > you have the buddy list visible), and svn users/downstream don't 
> > have the fix.
> I guess we should probably publicize this and get a CVE number and what not. 
> Is there anyone that thinks we SHOULDN'T?  Unless someone objects, wabz, do
> you think you could write up some info on the vulnerability?  You can look at
> for some examples.  I think we need
> brief title, a summary, description, and description of the fix.  (Title and
> summary are extremely similar... we should consider getting rid of one of those.)
> How does this sound:  We check in a fix to MTN as soon as possible  We hold
> off on checking a fix into Subversion so as to avoid people noticing the bug
> (unless the fix is already been checked in?).  We wait to contact the CVE
> people until we have a firm release date, and we set the embargo date to be
> the same as the release date.  Then we release Pidgin 2.0 containing the fixed
> version, as well as email a patch for Gaim 2.0.0 to the packagers mailing list.
> Luke, you've been in contact with the CVE people recently, right?  When the
> time comes, would you want to handle coordinating with them on this?
> -Mark

I have been in touch with the CERT people.  IIRC, it is Mitre that
handles CVE numbers, not CERT.  There is a redhat person on -packagers
that has obtained CVE numbers for us in the past.


More information about the Cabal mailing list