2.7.0 test tarballs
Jan Lieskovsky
jlieskov at redhat.com
Wed May 12 12:35:12 EDT 2010
John Bailey wrote:
> On 05/12/2010 10:10 AM, John Bailey wrote:
>> I'd prefer not having to recreate the tarballs since I've already tagged and
>> committed the usual post-release stuff locally. I'm just sitting on the
>> revisions until I make the release public.
>
> For the record, I want to push these tarballs to the public *just before*
> midnight tonight (US EDT), unless any of you come up with major issues that
> require me to respin the tarballs.
>
> Additionally, just for completeness, here is the text I will be publishing on
> our security issues page that describes the problem:
>
> summary:
> Libpurple clients can crash due to malformed SLP message
>
> full description:
> A vulnerability was discovered in libpurple's MSN protocol plugin that can cause
> a denial of service (crash) due to insufficient validation of certain SLP
> packets related to custom emoticons. An attacker could use this vulnerability
> to remotely crash a client using libpurple for MSN. It is not possible for this
> vulnerability to be exploited for code execution. As a workaround, disabling
> custom emoticons on MSN accounts will prevent the vulnerability.
>
> fix:
> Validation has been added to the MSN plugin to prevent the crash.
>
> discovered by:
> Pierre Noguès of Meta Security
Please use CVE-2010-1624 for this. Based on similar issue -- CVE-2009-2703:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2703
i.e. NULL ptr dereference, leading to DoS.
Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
>
> John
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
More information about the Packagers
mailing list