Remote crashes being fixed in Pidgin 2.6.6
mark at kingant.net
Thu Feb 18 03:44:11 EST 2010
Released now. Tarballs available at
Our pages that list these security problems have been updated:
On Tue, Feb 16, 2010 at 1:51 AM, Mark Doliner <mark at kingant.net> wrote:
> Here's an update!
> * 3 separate security issues
> * Not yet public knowledge
> * Pidgin 2.6.6 has been created, but NOT YET RELEASED TO THE PUBLIC.
> I'll send the tarballs in separate emails to avoid making this email
> * Patches to fix the issues are attached. These are what went into
> 2.6.6. They apply to 2.6.2 with just a little fuzz and offsets and
> should work fine. Anything older will need manual intervention for at
> least one of the changes. ALSO NOT YET PUBLIC
> * Embargo date is GMT 08:00:00am Feb 18 for all information, including
> the patches and the tarball
> * We'll release Pidgin 2.6.6 and push the changes to our code
> repository shortly after the embargo date
> 1. CVE-2010-0277 - "MSN SLP Remote Crash"
> This is the crash discovered by Fabian Yamaguchi and mentioned at
> http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html, but I
> don't feel that there are enough published details about this for it
> to be considered public. I do not know if there is potential for
> remote code execution.
> 2. CVE-2010-0420 - "Finch XMPP MUC Crash"
> Discovered by Sadrul Habib Chowdhury last week. In an XMPP MUC, if
> someone changes the nick to '<br>' (using '/nick <br>' for example),
> then libpurple ends up having two users with username '\n' in the
> room, and finch crashes in this situation. We do not believe there is
> a possibility of remote code execution.
> I believe this commit fixes the problem, and there is a patch attached
> to add an extra safety check to Finch:
> 3. CVE-2010-0423 - "Smiley Denial of Service"
> Pidgin becomes unresponsive and consumes lots of CPU when receiving an
> IM containing many smileys. This is a remote denial of service
> attack, but is not exploitable in any other way. It was reported to
> us by Andrea Barisani of ocert. I did revise the previous patch.
More information about the Packagers