[oss-security] Re: CVE Request (pidgin)

Josh Bressers bressers at redhat.com
Thu Jul 3 22:05:40 EDT 2008


On 4 July 2008, Robert Buchholz wrote:
> On Thursday 03 July 2008, Josh Bressers wrote:
> > On 3 July 2008, Nico Golde wrote:
> > > > Name: CVE-2008-2955
> > > >
> > > >
> > > > Pidgin 2.4.1 allows remote attackers to cause a denial of service
> > > > (crash) via a long filename that contains certain characters, as
> > > > demonstrated using an MSN message that triggers the crash in the
> > > > msn_slplink_process_msg function.
> > >
> > > Did anyone try if this can be done by some random user=20
> > > without authorization and if the victim needs to accept the=20
> > > file first to trigger this?
> >
> > My testing showed that random users can't send files, they need to be
> > in your buddy list.  I'm not sure if the victim needs to accept the
> > file or not.  Last I knew, upstream was still working on this one.
> 
> Our maintainer digged out these changes that are in the newly released 
> 2.4.3:
> 
> http://developer.pidgin.im/viewmtn/revision/diff/6eb1949a96fa80a4c744fc749c2562abc4cc9ed6/with/c3831c9181f4f61b747321240086ee79e4a08fd8/
> libpurple/protocols/msn/slplink.c
> http://developer.pidgin.im/viewmtn/revision/diff/6eb1949a96fa80a4c744fc749c2562abc4cc9ed6/with/c3831c9181f4f61b747321240086ee79e4a08fd8/
> libpurple/protocols/msnp9/slplink.c
> 
> Are they incomplete?
> 

These are patches for a different integer overflow fixed in Pidgin 2.4.3.
So to prevent creating confusion, I'm opening the Red Hat bug that has the
patch and CVE id noted in it.  It was initially planned to not announce
these fixes in public until next week.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2927

I'm also adding the upstream packagers list to the CC so they know what's
going on.

If anyone has any questions, please reply via the oss-security list.  We'll
make that the primary information source to hopefully clear things up.

Thanks.

-- 
    JB



More information about the Packagers mailing list