Security response Re: Remote crash in ICQ
Mark Doliner
mark at kingant.net
Mon Jun 29 14:52:32 EDT 2009
On Mon, Jun 29, 2009 at 10:10 AM, Warren Togami<wtogami at redhat.com> wrote:
> On 06/28/2009 07:56 PM, Mark Doliner wrote:
>>
>> Attached is a patch to fix the bug. It applies cleanly to 2.5.7,
>> 2.5.6, 2.5.5 and 2.5.4 (with offset). I didn't test any older
>> versions. Only libpurple has changed, so if your Pidgin package links
>> to libpurple dynamically then you really only need to rebuild
>> libpurple. Also, we've just released 2.5.8 which includes this fix
>> and a few other nice bug fixes. Source packages are at
>>
>> http://sourceforge.net/project/showfiles.php?group_id=235&package_id=230234&release_id=693070
>> and changelog at http://developer.pidgin.im/wiki/ChangeLog
>>
>> Thanks, and sorry for the inconvenience.
>>
>> -Mark
>
> CVE-2009-1889 has been assigned to this issue.
> http://developer.pidgin.im/ticket/9483
> We are treating this as already public.
>
> 1) Anyone know a reproduce procedure? We will need this for QA testing the
> binaries.
I was thinking there was a form on http://www.icq.com/ that people
could use to send the message, but the only things I've been able to
find are http://icq.com/people/webmsg.php and
http://www.icq.com/panels/ , and neither of them trigger the crash.
> 4) Who has access to add people to this list? We need thoger at redhat.com and
> jlieskov at redhat.com added.
Done.
-Mark
More information about the Packagers
mailing list