Fwd: FYI: Remote DOS in Pidgin 2.2.0 over MSN

Josh Bressers bressers at redhat.com
Thu Sep 27 21:20:44 EDT 2007

> An MSN nudge sent from a previously unknown buddy causes an immediate  
> crash in libpurple 2.2.0.  I fixed this in  
> a5dd91b5d76972cf72a56209503c7e32d71c6e3c - I wasn't sure how best to  
> note the fix without advertising the DOS, so my log message:
> serv_got_attention() doesn't expect an escaped string; it just wants a  
> name. The str variable was unused.
> is true but incomplete, as I didn't note that this also fixes the  
> crash.  With the previous code, buddy was NULL for an unknown remote  
> user; NULL was then dereferenced to get the name for passing to  
> serv_got_attention().
> What's the proper protocol for handling this sort of thing?

Thanks for the heads up Luke.  Is this public anywhere else?  If not I can
assign it a CVE id.


More information about the Packagers mailing list