security fixes for 2.5.6

Josh Bressers bressers at redhat.com
Fri May 29 09:21:10 EDT 2009


----- "Josh Bressers" <bressers at redhat.com> wrote:
> ----- "Stanislav Brabec" <sbrabec at suse.cz> wrote:
> > Ka-Hing Cheung wrote:
> >
> > > Additionally, the previous fix to CVE-2008-2927 was incomplete, so we
> > > fixed it again:
> > > 9dd1c4c3 Fixes a buffer overflow in the ZDI-08-054 report
> >
> > Shouldn't be the same done for both msn and msnp9? The patch applies to
> > both branches.
> >
> 
> So FWIW, I looked at Red Hat's build log of this. We don't ever build the
> source in that directory.
> 

This has been noticed:
http://xorl.wordpress.com/2009/05/28/cve-2009-1376-pidgin-msn-slp-integer-truncation/

See the very bottom, the author speaks of the msnp9 directory. If that
protocol isn't used anymore, the directory should probably be removed to avoid
this confusion. If it is used, it should be patched.

>From looking at the current source tarball, it's not built by default.

-- 
    JB



More information about the Packagers mailing list