Remote crashes being fixed in Pidgin 2.6.6
Mark Doliner
mark at kingant.net
Thu Feb 18 03:44:11 EST 2010
Released now. Tarballs available at
https://sourceforge.net/projects/pidgin/files/Pidgin/2.6.6/
Our pages that list these security problems have been updated:
http://pidgin.im/news/security/
--Mark
On Tue, Feb 16, 2010 at 1:51 AM, Mark Doliner <mark at kingant.net> wrote:
> Here's an update!
> * 3 separate security issues
> * Not yet public knowledge
> * Pidgin 2.6.6 has been created, but NOT YET RELEASED TO THE PUBLIC.
> I'll send the tarballs in separate emails to avoid making this email
> huge.
> * Patches to fix the issues are attached. These are what went into
> 2.6.6. They apply to 2.6.2 with just a little fuzz and offsets and
> should work fine. Anything older will need manual intervention for at
> least one of the changes. ALSO NOT YET PUBLIC
> * Embargo date is GMT 08:00:00am Feb 18 for all information, including
> the patches and the tarball
> * We'll release Pidgin 2.6.6 and push the changes to our code
> repository shortly after the embargo date
>
> 1. CVE-2010-0277 - "MSN SLP Remote Crash"
>
> This is the crash discovered by Fabian Yamaguchi and mentioned at
> http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html, but I
> don't feel that there are enough published details about this for it
> to be considered public. I do not know if there is potential for
> remote code execution.
>
> 2. CVE-2010-0420 - "Finch XMPP MUC Crash"
>
> Discovered by Sadrul Habib Chowdhury last week. In an XMPP MUC, if
> someone changes the nick to '<br>' (using '/nick <br>' for example),
> then libpurple ends up having two users with username '\n' in the
> room, and finch crashes in this situation. We do not believe there is
> a possibility of remote code execution.
>
> I believe this commit fixes the problem, and there is a patch attached
> to add an extra safety check to Finch:
> http://developer.pidgin.im/viewmtn/revision/info/0085c32abf29d034d30feef1ffb1d483e316a9a8
>
> 3. CVE-2010-0423 - "Smiley Denial of Service"
>
> Pidgin becomes unresponsive and consumes lots of CPU when receiving an
> IM containing many smileys. This is a remote denial of service
> attack, but is not exploitable in any other way. It was reported to
> us by Andrea Barisani of ocert. I did revise the previous patch.
>
> --Mark
>
More information about the Packagers
mailing list