MSN emoticon DoS

John Bailey rekkanoryo at rekkanoryo.org
Thu May 6 06:55:44 EDT 2010


Hello, packagers,

I apologize for not notifying you of this issue sooner; I had forgotten about
it, as we've been working on Pidgin 2.7.0 for so long.

A security vulnerability has been discovered in the MSN plugin for libpurple.

Affected software: libpurple 2.6.5 and 2.6.6; earlier versions may be affected.

Description:  We have been informed of a denial of service (crash) related to
custom emoticons on the MSN protocol.  Both we and the original reporter believe
this issue can NOT be used for code execution, but merely for a remote crash.
The specific problem is a NULL pointer dereference.

Discovered by: Pierre Noguès

Public: no

Embargo date: none.

Attached is a patch written by Elliott Sales de Andrade that resolves the crash.
 This fix will be included in Pidgin 2.7.0, which is currently aimed for a
release late Monday night or Tuesday, but may be pushed back farther if needed
for translations and coordinated releases.

John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: msn-emoticon-fix.diff
Type: text/x-patch
Size: 711 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100506/44ed3ddc/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100506/44ed3ddc/attachment.pgp>


More information about the Packagers mailing list