New potential DoS vulnerability
jlieskov at redhat.com
Thu Dec 23 13:40:31 EST 2010
Jan Lieskovsky wrote:
> Hi John,
> thank you for the notification.
> John Bailey wrote:
>> Hi, packagers.
>> We have yet another potential denial of service vunlnerability in our
>> MSN code.
>> It's a null pointer dereference due to receiving a "short" packet for
>> a direct
>> connection. This vulnerability was discovered by Stu Tomlinson, and
>> Sales de Andrade provided the attached patch, which he believes fixes
>> the issue.
Grr, /me shouldn't write emails when hungry :(.
> Assuming a CVE identifier needs to be assigned to this issue. Let us
> if it is still needed or one should be assigned. (just checking to avoid
The last sentence should have been: "Let us know if it is still needed
or one has been already assigned. If the later is the case, please
let us know the particular identifier."
Thanks && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
P.S.: And sorry for the noise.
> Thanks && Regards, Jan.
> Jan iankko Lieskovsky / Red Hat Security Response Team
>> I believe, but am not certain, that this vulnerability *should* affect
>> libpurple 2.7.6, 2.7.7, and 2.7.8, as previous versions do not cause
>> the MSN
>> servers to send us the "short" packets that cause the crash. Any
>> developer with
>> better knowledge of this should chime in and correct my mistakes (if
>> I was supposed to include this in the 2.7.8 release this past weekend,
>> missed it. I am planning to release 2.7.9 late Sunday evening with
>> this patch
>> included, but you may wish instead to simply patch your existing
>> packages. It's
>> unlikely that 2.7.9 will include any significant new development work,
>> being so
>> close to the Christmas holiday.
>> Packagers mailing list
>> Packagers at pidgin.im
> Packagers mailing list
> Packagers at pidgin.im
More information about the Packagers