Upcoming Pidgin security disclosures and 2.10.1
jlieskov at redhat.com
Sat Dec 10 16:00:03 EST 2011
On 12/09/2011 09:44 PM, Mark Doliner wrote:
> On Fri, Dec 9, 2011 at 2:20 AM, Jan Lieskovsky<jlieskov at redhat.com> wrote:
>> 3) Will return to the CVE-2011-3594 issue yet.
>> a, https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3594
>> (Red Hat Bugzilla bug)
>> (originally proposed upstream patch)
>> (the new CVE-2011-3594 patch version you mentioned in post from
>> Summary (diff b, vs c,):
>> The b, patch fixed the issue only in private messages. Patch c, is fixing
>> the issue
>> also in channel messages (with similar logic).
>> Mark, can you confirm, the CVE-2011-3594 issue would be exploitable to cause
>> same harm in channel messages (intended to be fixed by new patch) as in
>> messages (already contained within patch b,)?
> That's my interpretation, yes. I'm not really familiar with SILC,
> though, so I could be wrong. That's a downside of us continue to
> include a virtually unmaintained IM protocol :-(
From look at SILC protocol overview (slides #6, #7 and #8):
looks a similar issue is possible in SILC channel messages too.
>> Asking, because this is true (basically same nature issue, just being
>> in different source code part), this would need a fourth CVE identifier
>> (as incomplete fix for CVE-2011-3594 issue).
> Hmm. So you're saying a CVE pertains to a problem plus the associated
> fix for that problem? I've always thought of them as pertaining only
> to the problem.
Yes, CVE identifiers are related with some deficiency but also with
a particular upstream patch. If another issue (though similar like previous
one) is found in different code part, it needs a new CVE id.
>> Could you confirm the channel source code is impersonates the same concern
>> as private messages issue?
>> Once, confirmed I would allocate the fourth CVE identifier for channel
>> issue too (so it can be fixed by Linux distribution vendors, who have had
>> applied original patch for CVE-2011-3594 issue).
> Yeah I think that's accurate.
Ok, thank you.
>> CVE recapitulation:
>> ii) second CVE -- OSCAR UTF-8 issue. Going to be requested via OSS-security
>> once public,
>> One note here: Are we sure, we are fixing both instances (private vs
>> channel OSCAR messages)?,
> I'm pretty confident that the oscar fix is complete--I was pretty
> thorough when investigating and writing the patch. (I should point
> out that the oscar issue doesn't deal with private or channel
> messages. It deals with authorization requests when adding ICQ
> buddies to your list.)
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
More information about the Packagers