Security response Re: Remote crash in ICQ
Warren Togami
wtogami at redhat.com
Mon Jun 29 13:10:13 EDT 2009
On 06/28/2009 07:56 PM, Mark Doliner wrote:
> Attached is a patch to fix the bug. It applies cleanly to 2.5.7,
> 2.5.6, 2.5.5 and 2.5.4 (with offset). I didn't test any older
> versions. Only libpurple has changed, so if your Pidgin package links
> to libpurple dynamically then you really only need to rebuild
> libpurple. Also, we've just released 2.5.8 which includes this fix
> and a few other nice bug fixes. Source packages are at
> http://sourceforge.net/project/showfiles.php?group_id=235&package_id=230234&release_id=693070
> and changelog at http://developer.pidgin.im/wiki/ChangeLog
>
> Thanks, and sorry for the inconvenience.
>
> -Mark
CVE-2009-1889 has been assigned to this issue.
http://developer.pidgin.im/ticket/9483
We are treating this as already public.
1) Anyone know a reproduce procedure? We will need this for QA testing
the binaries.
2) Is pidgin 1.5.x effected? It appears to contain similar code in the
oscar prpl, however
<darkrain42> That said, incomingim_chan4 in 1.5 pretty clearly doesn't
actually handle packets of type '0x1a'
3) http://pidgin.im/news/security/
After the CVE is fully defined someone will need to write the page for here.
4) Who has access to add people to this list? We need thoger at redhat.com
and jlieskov at redhat.com added.
Warren Togami
wtogami at redhat.com
Warren Togami
wtogami at redhat.com
More information about the Packagers
mailing list