Remotely-triggerable crash in libpurple

Mark Doliner mark at kingant.net
Fri Jul 16 15:09:02 EDT 2010


(including the packagers list this time--sorry for the duplicate email Ionut)

On Fri, Jul 16, 2010 at 10:44 AM, Ionut Biru <ibiru at archlinux.org> wrote:
> On 07/14/2010 11:18 AM, Mark Doliner wrote:
>
>>
>> The patch is against the latest code in our source repository, and I
>> have not tested applying it to 2.7.0 or 2.7.1.  I suspect it'll apply
>> with no fuzz, possibly with an offset.  If you run into any problems
>> please let me know and I can try to help.
>>
>
> the patch doesn't apply against 2.7.1. both hunks fail as the code was
> changed a lot since 2.7.1
>
> for the first hunk int num1,num2; -> guint16 num1, num2; and for second the
> first line remove is an if in 2.7.1.
>
> should i try backport it or is not so critical and can wait until 2.7.2 is
> released?

Whoops, my bad.  This bug is pretty easy for a remote hacker to
trigger, so probably worth patching (after it's made public, of
course) if you're not planning on shipping 2.7.2 immediately.  I've
backported the patch to 2.7.1 and attached it.  I didn't try it
against 2.7.0, but it might work.

--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oscar_xstatus_remote_crash_fix_2_for_pidgin_2.7.1.diff
Type: text/x-diff
Size: 3076 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100716/2d4e1e7f/attachment.diff>


More information about the Packagers mailing list