Remote crash in ICQ

Mark Doliner mark at kingant.net
Sun Jun 28 23:19:52 EDT 2009


On Sun, Jun 28, 2009 at 5:01 PM, Warren Togami<wtogami at redhat.com> wrote:
> On 06/28/2009 07:56 PM, Mark Doliner wrote:
>>
>> Oh, and I suspect there is probably no chance of remote code
>> execution.  The data that triggers the crash comes from the ICQ
>> servers, and I believe is limited to a fairly short length.  It's also
>> probably filtered quite a bit.
>>
>> Attached is a patch to fix the bug.  It applies cleanly to 2.5.7,
>> 2.5.6, 2.5.5 and 2.5.4 (with offset).  I didn't test any older
>> versions.  Only libpurple has changed, so if your Pidgin package links
>> to libpurple dynamically then you really only need to rebuild
>> libpurple.  Also, we've just released 2.5.8 which includes this fix
>> and a few other nice bug fixes.  Source packages are at
>>
>> http://sourceforge.net/project/showfiles.php?group_id=235&package_id=230234&release_id=693070
>> and changelog at http://developer.pidgin.im/wiki/ChangeLog
>>
>> Thanks, and sorry for the inconvenience.
>>
>> -Mark
>
> We still have pidgin-1.5.x in RHEL-3.  Is that affected by this?

I suspect that it is affected, but I haven't checked.

-Mark



More information about the Packagers mailing list