MSN SLP Security Vulnerability

Daniel Atallah daniel.atallah at gmail.com
Wed Jun 18 23:51:05 EDT 2008 

On Wed, Jun 18, 2008 at 7:11 PM, Richard Laager <rlaager at wiktel.com> wrote:
> On Wed, 2008-06-18 at 14:29 -0400, Daniel Atallah wrote:
>> I'm fine with this, but I'd like to backport a couple crashing fixes
>> from i.p.p (yahoo aliases, and something else I can't remember
>> offhand).
>
> Could you start the 2.4.3 branch with these? When you're ready, we can
> commit the security fix and go from there.

For those not following at home, I've created a
"im.pidgin.pidgin.2.4.3" branch with the following revisions from
i.p.p.  There probably are more things that could be backported.

7a490c356e10f7fff3432f875897aa0ca0ad1ff0 yahoo double free

e9fa06c5d654248927dd0838d27cfb6b712a153a yahoo aliases crash fix

0130292e82764988f2d833f4a5d3ff5523f2eb7f HTTP proxy love

3d595739f53a259d5dae408a05f64d2836f02ac9 yahoo aliases functionality fix

05cdb341d2bf5165ab95cc42e52750624f0a7ad9 bonjour crash fixes

3000ba9c654a856b833192838f3a789b6d0bbf92 Update things for 2.4.3devel,
in case we do one.
aee44829b7e711fdac9a1848e4918effdb78195d Make the changelog.win32
consistent with previous releases

33e2a75561ac894e2186354bd7e3d509b513c366 xmpp crash

90044aa70ff85325bb4dd1102410046531721109 imhtmltoolbar crash

0de80ccd44f6ce7fe6942baa1e0dfc95a2878d05 Prevent double freeing when
we don't get the proxy data we're expecting from gconftool. Fixes
#5663.

5e69fb5f354ed74d6deb6f4d1f6aff46afd8a072 Yahoo seems to always send
messages encoded in utf-8 now.  Hopefully this doesn't cause problems
with other older clients. Fixes #5973.

d99b567b2df0833b855496e7466e6c4c2d9d2329 Don't crash if the given
jabber id is invalid.  For example, bond/_007 at gmail.com

904a276588f7de13ba13b578905c82c0493184ce Include the send button
plugin in the win32 build

4dd6e06680aebbca6a326930f5fff7e65ed87802 Make the IRC "unknown
message" debugging messages UTF-8 safe. Fixes #6019

5dec4714953825272bec5164be3761db1d7fdc9a Don't start sending the local
file until after recieving the <streamhost-used/> response.  Also fix
some scenarios where the local streamhost wasn't being cleaned up.
Fixes #5563.

c63750bedbfe2b637719fb4225f6c40085e13be9 Fix setting buddy icons on yahoo.

a7440122b7d40c1639d123e9f27fb9601f581ae5 RPMs w/o meanwhile

43cf42d58f68c1f3f9ae27b10c66dbc351612f30 shorter bonjour win32 url

2e34cc5b5c98162e2a36c51a9eff26fcaa55dcf2 yahoo japan utf8
f27cf27abac3307baeb823ac405c3c09bf5f057e yahoo japan changelog

677a3855450efcb2a3b51c843ced2d166c018159 pango tooltip leak

d7c39222c546f6465ca80cf5a249d8a4d0ceb8d3 Fix stack smashing for forced
old (port 5223) ssl auth. Closes #5974.

adc233c42c586b7fae877a688cd39532eaca23a0 Fix a memleak when handling
jabber xforms.

f249b4c4ad3ec2e4c35e74aef4efee943974b835 dutch translation crash

6c9b241a178cbf5a0760ba9646e0460067db378a other broken translations

ddf9a92e5eff18d5dc957a19bc6b7d918904848b A patch from toofishes to fix
a crash. Fixes #6036

4c0536321fe25e0646f67565a43deafe1cb5f32c dos2unix po/lt.po Fixes #5847.

69abb190985a5392d3b2e3296db80accf46bf74b unleak gtkplugin

7a36a9ecbcc902ee89656d5267e613aa1dc0b889 patch from Andrew Gaul that
fixes a memleak

6f45eed99c94f8e63e46ad382a70c0c4e266b833 A patch from Martijn van
Beers to handle outgoing PURPLE_TYPE_SUBTYPE values in the Perl
bindings. Fixes #3853

> If we want to fix the uPnP thing, it's a minor bump. That one is very
> low impact, so we can do that for 2.5.0 if we decide it needs fixing.

Unless I'm mistaken, the impact of this is relatively low because the
perpetrator has to be on your network.


-D

More information about the Packagers mailing list