New security problem in Pidgin
Mark Doliner
mark at kingant.net
Fri Oct 16 12:50:04 EDT 2009
My steps for testing were:
1. Install SIM IM (in my case there is an Ubuntu package for it)
2. Sign onto an ICQ account in SIM IM
3. Open an IM window to a user using Pidgin
4. Click the "Message" drop down in the top left corner and select
"Contact List"
5. Check the box next to one of the contacts in the text entry area
6. Click the "Send" button
-Mark
On Fri, Oct 16, 2009 at 6:04 AM, Jan Lieskovsky <jlieskov at redhat.com> wrote:
> Hello Mark && Pidgin upstream,
>
> also, have you got an exact reproducer (scenario / steps, sample
> contact-list),
> which could be used for patch work verification and testing purposes?
> (you would be willing to share with us).
>
> Of course, any further, this kind of information, you potentially share
> with us, will be handled as confidential.
>
> Thanks && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team
>
> Jan Lieskovsky wrote:
>>
>> Hello Mark,
>>
>> thank you for the heads-up!
>>
>> Does this already have a CVE id assigned to it? Or should we assign one?
>>
>> Thanks && Regards, Jan.
>> --
>> Jan iankko Lieskovsky / Red Hat Security Response Team
>>
>> Mark Doliner wrote:
>>>
>>> Already public, discovered 6 days ago:
>>> http://developer.pidgin.im/ticket/10481
>>> Our description for it is: http://pidgin.im/news/security/?id=41
>>> Patch for 2.6.2 is attached
>>> ("libpurple_fix_icq_remote_crash.diff")--should apply without much
>>> complaint to older code as well.
>>> Probably should have a CVE, if anyone wants to request one for us.
>>>
>>> There's another recent AIM/ICQ bug where the block list isn't working.
>>> It's not a security problem, but it's something that some people care
>>> strongly about. I've attached a patch for that to, in case you want
>>> to backport it, at your option. ("libpurple_fix_aim_blocklist.diff")
>>>
>>> We just release 2.6.3. It is 2.6.2 plus a few hand-picked commits to
>>> fix the above two problems and a few other small changes.
>>>
>>> Sorry for the short notice--we first heard about this 6 days ago and
>>> it's been a ridiculously busy week for me.
>>>
>>> -Mark
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Packagers mailing list
>>> Packagers at pidgin.im
>>> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
>>
>> _______________________________________________
>> Packagers mailing list
>> Packagers at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
>
>
More information about the Packagers
mailing list