Fwd: FYI: Remote DOS in Pidgin 2.2.0 over MSN
Luke Schierer
lschiere at pidgin.im
Thu Sep 27 22:42:50 EDT 2007
On Thu, Sep 27, 2007 at 09:20:44PM -0400, Josh Bressers wrote:
> >
> > An MSN nudge sent from a previously unknown buddy causes an immediate
> > crash in libpurple 2.2.0. I fixed this in
> > a5dd91b5d76972cf72a56209503c7e32d71c6e3c - I wasn't sure how best to
> > note the fix without advertising the DOS, so my log message:
> >
> > serv_got_attention() doesn't expect an escaped string; it just wants a
> > name. The str variable was unused.
> >
> > is true but incomplete, as I didn't note that this also fixes the
> > crash. With the previous code, buddy was NULL for an unknown remote
> > user; NULL was then dereferenced to get the name for passing to
> > serv_got_attention().
> >
> > What's the proper protocol for handling this sort of thing?
> >
>
> Thanks for the heads up Luke. Is this public anywhere else? If not I can
> assign it a CVE id.
>
> --
> JB
As best I am aware, it is not public.
luke
More information about the Packagers
mailing list