security fixes for 2.5.6
Ka-Hing Cheung
khc at pidgin.im
Sat May 30 14:31:37 EDT 2009
On Fri, May 29, 2009 at 09:21:10AM -0400, Josh Bressers wrote:
> ----- "Josh Bressers" <bressers at redhat.com> wrote:
> > ----- "Stanislav Brabec" <sbrabec at suse.cz> wrote:
> > > Ka-Hing Cheung wrote:
> > >
> > > > Additionally, the previous fix to CVE-2008-2927 was incomplete, so we
> > > > fixed it again:
> > > > 9dd1c4c3 Fixes a buffer overflow in the ZDI-08-054 report
> > >
> > > Shouldn't be the same done for both msn and msnp9? The patch applies to
> > > both branches.
> > >
> >
> > So FWIW, I looked at Red Hat's build log of this. We don't ever build the
> > source in that directory.
> >
>
> This has been noticed:
> http://xorl.wordpress.com/2009/05/28/cve-2009-1376-pidgin-msn-slp-integer-truncation/
>
> See the very bottom, the author speaks of the msnp9 directory. If that
> protocol isn't used anymore, the directory should probably be removed to avoid
> this confusion. If it is used, it should be patched.
That has been fixed on trunk, but was not backported to the release branch.
Since the next release will be from trunk anyway, I am just going to comment
on that blog saying such.
-khc
More information about the Packagers
mailing list