IRC remote crasher and patch

Jan Lieskovsky jlieskov at redhat.com
Mon Jul 18 09:47:00 EDT 2011 

Hello Ethan,

   thank you for the preliminary notification.

On 07/16/2011 11:28 PM, Ethan Blanton wrote:
> Hi all,
>
> The information in this email is security sensitive, and is not to be
> revealed until 2.9.1 is released.  Please keep it under wraps for the
> time being.
>
> An IRC remote crasher snuck into 2.8.0 along with all the other IRC
> WHO brokenness.  It enables either 1) a malicious server, or 2) a
> malicious user on a server with less-than-strict nick checking to
> crash Pidgin users with certain encoding configurations.  It is a
> crasher only (as best I can tell), and is not exploitable.
>
> This bug is not unknown, but as a fix has not yet made it into
> a release and the precise reason for the crash has not been publically
> identified, I am asking that it be kept quiet.  Our bug is:
>
> http://developer.pidgin.im/ticket/14341

Since the bug (and relevant reproducer:
http://developer.pidgin.im/ticket/14341#comment:14)

are public already, the CVE identifier should be requested via 
oss-security mailing list:
[1] http://oss-security.openwall.org/wiki/mailing-lists/oss-security

But please keep in mind, it is a public mailing list (so as soon as
you post CVE request there, the whole issue will be public). So CVE
identifier should be requested only one / two days before new upstream
release is public.

Since the issue is semi public, we can not allocate a CVE identifier
any more (since we would risk Mitre would assign another one for the
same issue and this can result in CVE rejection process etc).

So safer if you would request it there, once upstream ready (should be
allocated within 1-2 days).

>
> I believe there is an Adium bug for this issue, as well.  (It has
> quite possibly been around for a long time; this broken WHO code went
> into Adium's libpurple long before ours, as I understand it.)
>
> I assume we need a CVE number for this; since it's not exactly an
> undisclosed bug, I'm not sure if anyone on this list can issue it.  If
> not, please let me know how we go about getting one.  (Maybe another
> Pidgin dev knows?)
>
> A patch to fix this problem is attached.  It will be included in 2.9.1
> when it is released, which will hopefully not be too far off.  At that
> time, vendors should feel free to apply the attached patch to their
> packages.

Hopefully a more exact time estimation, when we can expect the v2.9.1 
release to be public?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
> Ethan
>
>
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers

More information about the Packagers mailing list