Remote crash in gaim-text

Mark Doliner mark at kingant.net
Sat Mar 10 12:33:46 EST 2007


On Tue, 6 Mar 2007 22:51:55 -0500, Luke Schierer wrote
> On Tue, Mar 06, 2007 at 02:09:52AM -0500, Mark Doliner wrote:
> > On Sun, 25 Feb 2007 21:39:41 +1100, Richard Nelson wrote
> > > I have a (possibly exaggerated) concern; revision f59170f3 fixes a 
> > > vulnerability (definitely remote crash, probably remote code 
> > > execution) that exists in gaim-text 2.0.0b6. It's very easy to 
> > > trigger (have a buddy change their name to a format string, while 
> > > you have the buddy list visible), and svn users/downstream don't 
> > > have the fix.
> > 
> > I guess we should probably publicize this and get a CVE number and what not. 
> > Is there anyone that thinks we SHOULDN'T?  Unless someone objects, wabz, do
> > you think you could write up some info on the vulnerability?  You can look at
> > http://gaim.sourceforge.net/security/ for some examples.  I think we need
> > brief title, a summary, description, and description of the fix.  (Title and
> > summary are extremely similar... we should consider getting rid of one of
those.)
> > 
> > How does this sound:  We check in a fix to MTN as soon as possible  We hold
> > off on checking a fix into Subversion so as to avoid people noticing the bug
> > (unless the fix is already been checked in?).  We wait to contact the CVE
> > people until we have a firm release date, and we set the embargo date to be
> > the same as the release date.  Then we release Pidgin 2.0 containing the fixed
> > version, as well as email a patch for Gaim 2.0.0 to the packagers mailing
list.
> > 
> > Luke, you've been in contact with the CVE people recently, right?  When the
> > time comes, would you want to handle coordinating with them on this?
> > 
> > -Mark
> 
> I have been in touch with the CERT people.  IIRC, it is Mitre that
> handles CVE numbers, not CERT.  There is a redhat person on -
> packagers that has obtained CVE numbers for us in the past.

Heh heh, ok, my bad.  I guess I'll talk to the Red Hat CVE guy when the time
comes.  Thanks!
Mark


More information about the Cabal mailing list