Multiple remotely-triggerable crashes in libpurple

Jan Lieskovsky jlieskov at redhat.com
Thu Oct 14 07:59:14 EDT 2010 

Hi John,

   thank you for your reply.

John Bailey wrote:
> On 10/11/2010 11:43 AM, Jan Lieskovsky wrote:
>>   Please use CVE-2010-3711 to reference these flaws in your advisory.
> 
> Thank you!  I plan to draft a smaller summary of the original disclosure I
> posted here for use on our website.  I'll post it here once I have drafted it.

Ok, good.

> 
>>   Are there any reproducer / proof of concept files, which could be used
>> for
>> patch work verification and updated packages testing purposes?
>>
>>   If they are available, would you be willing to privately [1] share
>> them with us?
>>
>> [1] http://www.redhat.com/security/team/key/
> 
> I, unfortunately, did not test the patch.  I have not been involved much with
> our development lately due to my regular job.  This is an excellent question for
> Daniel.

Is Daniel on this list too? Or should we contact him?

   The nature of some of these crashes seems to be something that could be
> more easily triggered with a specially designed PoC executable that can
> intentionally send malformed information than with a file to transfer, though.

Ok, good, will try to prepare some then.

> 
>>   Also wondering about other vendors notification, do you have a plan to
>> post
>> a short note regarding the issues to the vendor-sec channel?
>>
>>   Providing basic issue details (i.e. multiple NULL pointer dereference
>> flaws
>> leading to pidgin DoS, mentioning CVE id and preliminary / proposed
>> embargo date,
>> together with patch should be enough as post there).
>>
>>   Alternatively, we can send a short note regarding the issues to the
>> vendor-sec
>> channel, just let us know you expect us to do so.
> 
> I've never dealt with vendor-sec.  Any assistance in that regard is quite welcome.

Ok, great. We will post a short notification to vendor-sec then. But prior doing
that would like to request you for the approval to privately share your original
post to this list together with patches, is someone requests them.

We would post hosrt notification and provide further flaws details (your original
notification) on in case, someone (some vendor) requests them.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

> 
> Thanks,
> John
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

More information about the Packagers mailing list