2.7.0 test tarballs

Jan Lieskovsky jlieskov at redhat.com
Wed May 12 12:35:12 EDT 2010


John Bailey wrote:
> On 05/12/2010 10:10 AM, John Bailey wrote:
>> I'd prefer not having to recreate the tarballs since I've already tagged and
>> committed the usual post-release stuff locally.  I'm just sitting on the
>> revisions until I make the release public.
> 
> For the record, I want to push these tarballs to the public *just before*
> midnight tonight (US EDT), unless any of you come up with major issues that
> require me to respin the tarballs.
> 
> Additionally, just for completeness, here is the text I will be publishing on
> our security issues page that describes the problem:
> 
> summary:
> Libpurple clients can crash due to malformed SLP message
> 
> full description:
> A vulnerability was discovered in libpurple's MSN protocol plugin that can cause
> a denial of service (crash) due to insufficient validation of certain SLP
> packets related to custom emoticons.  An attacker could use this vulnerability
> to remotely crash a client using libpurple for MSN.  It is not possible for this
> vulnerability to be exploited for code execution.  As a workaround, disabling
> custom emoticons on MSN accounts will prevent the vulnerability.
> 
> fix:
> Validation has been added to the MSN plugin to prevent the crash.
> 
> discovered by:
> Pierre Noguès of Meta Security

Please use CVE-2010-1624 for this. Based on similar issue -- CVE-2009-2703:
   [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2703

i.e. NULL ptr dereference, leading to DoS.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
> 
> John
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers



More information about the Packagers mailing list