New security problem in Pidgin

Jan Lieskovsky jlieskov at redhat.com
Fri Oct 16 09:04:25 EDT 2009


Hello Mark && Pidgin upstream,

   also, have you got an exact reproducer (scenario / steps, sample contact-list),
which could be used for patch work verification and testing purposes?
(you would be willing to share with us).

Of course, any further, this kind of information, you potentially share
with us, will be handled as confidential.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Jan Lieskovsky wrote:
> Hello Mark,
> 
>   thank you for the heads-up!
> 
>   Does this already have a CVE id assigned to it? Or should we assign one?
> 
> Thanks && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 
> Mark Doliner wrote:
>> Already public, discovered 6 days ago: 
>> http://developer.pidgin.im/ticket/10481
>> Our description for it is: http://pidgin.im/news/security/?id=41
>> Patch for 2.6.2 is attached
>> ("libpurple_fix_icq_remote_crash.diff")--should apply without much
>> complaint to older code as well.
>> Probably should have a CVE, if anyone wants to request one for us.
>>
>> There's another recent AIM/ICQ bug where the block list isn't working.
>>  It's not a security problem, but it's something that some people care
>> strongly about.  I've attached a patch for that to, in case you want
>> to backport it, at your option. ("libpurple_fix_aim_blocklist.diff")
>>
>> We just release 2.6.3.  It is 2.6.2 plus a few hand-picked commits to
>> fix the above two problems and a few other small changes.
>>
>> Sorry for the short notice--we first heard about this 6 days ago and
>> it's been a ridiculously busy week for me.
>>
>> -Mark
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Packagers mailing list
>> Packagers at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
> 
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers



More information about the Packagers mailing list