New potential DoS vulnerability

Jan Lieskovsky jlieskov at redhat.com
Thu Dec 23 13:40:31 EST 2010 

Jan Lieskovsky wrote:
> Hi John,
> 
>   thank you for the notification.
> 
> John Bailey wrote:
>> Hi, packagers.
>>
>> We have yet another potential denial of service vunlnerability in our 
>> MSN code.
>>  It's a null pointer dereference due to receiving a "short" packet for 
>> a direct
>> connection.  This vulnerability was discovered by Stu Tomlinson, and 
>> Elliott
>> Sales de Andrade provided the attached patch, which he believes fixes 
>> the issue.

Grr, /me shouldn't write emails when hungry :(.

> 
>   Assuming a CVE identifier needs to be assigned to this issue. Let us 
> know,
> if it is still needed or one should be assigned. (just checking to avoid
> duplicates).

The last sentence should have been: "Let us know if it is still needed
or one has been already assigned. If the later is the case, please
let us know the particular identifier."

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: And sorry for the noise.

> 
> Thanks && Regards, Jan.
> -- 
> Jan iankko Lieskovsky / Red Hat Security Response Team
> 
>>
>> I believe, but am not certain, that this vulnerability *should* affect 
>> only
>> libpurple 2.7.6, 2.7.7, and 2.7.8, as previous versions do not cause 
>> the MSN
>> servers to send us the "short" packets that cause the crash.  Any 
>> developer with
>> better knowledge of this should chime in and correct my mistakes (if 
>> any).
>>
>> I was supposed to include this in the 2.7.8 release this past weekend, 
>> but
>> missed it.  I am planning to release 2.7.9 late Sunday evening with 
>> this patch
>> included, but you may wish instead to simply patch your existing 
>> packages.  It's
>> unlikely that 2.7.9 will include any significant new development work, 
>> being so
>> close to the Christmas holiday.
>>
>> John
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Packagers mailing list
>> Packagers at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
> 
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

More information about the Packagers mailing list