MSN emoticon DoS
Jan Lieskovsky
jlieskov at redhat.com
Wed May 12 12:33:27 EDT 2010
John Bailey wrote:
> On 05/07/2010 08:31 AM, Jan Lieskovsky wrote:
>> So you probably want to fix both of them. Though not sure, how much
>> widely the code in relevant "msnp9"
>> subdirectory is used nowadays.
>
> MSNp9 is removed for 2.7.0. The last release in which MSNp9 was used is 2.4.3.
> Since we removed MSNp9, we may not have checked to see if that plugin was
> vulnerable as well. Only distributions using Pidgin 2.4.3 or earlier will need
> to care, truthfully, as Pidgin 2.5.0 and newer enabled the MSNp15
> (libpurple/msn) plugin by default.
>
> Also, do we need to get a CVE number for this one? I know we've done it in the
> past.
Please use CVE-2010-1624 for this. Based on similar issue than CVE-2009-2703:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2703
i.e. NULL ptr dereference, leading to DoS.
Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
>
> John
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
More information about the Packagers
mailing list