Remote crash in ICQ
Mark Doliner
mark at kingant.net
Sun Jun 28 23:19:52 EDT 2009
On Sun, Jun 28, 2009 at 5:01 PM, Warren Togami<wtogami at redhat.com> wrote:
> On 06/28/2009 07:56 PM, Mark Doliner wrote:
>>
>> Oh, and I suspect there is probably no chance of remote code
>> execution. The data that triggers the crash comes from the ICQ
>> servers, and I believe is limited to a fairly short length. It's also
>> probably filtered quite a bit.
>>
>> Attached is a patch to fix the bug. It applies cleanly to 2.5.7,
>> 2.5.6, 2.5.5 and 2.5.4 (with offset). I didn't test any older
>> versions. Only libpurple has changed, so if your Pidgin package links
>> to libpurple dynamically then you really only need to rebuild
>> libpurple. Also, we've just released 2.5.8 which includes this fix
>> and a few other nice bug fixes. Source packages are at
>>
>> http://sourceforge.net/project/showfiles.php?group_id=235&package_id=230234&release_id=693070
>> and changelog at http://developer.pidgin.im/wiki/ChangeLog
>>
>> Thanks, and sorry for the inconvenience.
>>
>> -Mark
>
> We still have pidgin-1.5.x in RHEL-3. Is that affected by this?
I suspect that it is affected, but I haven't checked.
-Mark
More information about the Packagers
mailing list