IRC remote crasher and patch

Jan Lieskovsky jlieskov at redhat.com
Mon Jul 18 10:52:11 EDT 2011 

Thanks for your reply, Ethan.

On 07/18/2011 04:04 PM, Ethan Blanton wrote:
> Jan Lieskovsky spake unto us the following wisdom:
>>> http://developer.pidgin.im/ticket/14341
>>
>> Since the bug (and relevant reproducer:
>> http://developer.pidgin.im/ticket/14341#comment:14)
>>
>> are public already, the CVE identifier should be requested via
>> oss-security mailing list:
>> [1] http://oss-security.openwall.org/wiki/mailing-lists/oss-security
>>
>> But please keep in mind, it is a public mailing list (so as soon as
>> you post CVE request there, the whole issue will be public). So CVE
>> identifier should be requested only one / two days before new upstream
>> release is public.
>
> OK, thanks for the procedural information.

No problem, you are welcome.

>
>> Since the issue is semi public, we can not allocate a CVE identifier
>> any more (since we would risk Mitre would assign another one for the
>> same issue and this can result in CVE rejection process etc).
>>
>> So safer if you would request it there, once upstream ready (should be
>> allocated within 1-2 days).
>>
>>> A patch to fix this problem is attached.  It will be included in 2.9.1
>>> when it is released, which will hopefully not be too far off.  At that
>>> time, vendors should feel free to apply the attached patch to their
>>> packages.
>>
>> Hopefully a more exact time estimation, when we can expect the
>> v2.9.1 release to be public?
>
> I don't know yet.  There are some other fixes being worked on.  We're
> planning on a proper string freeze and release, so you'll have at
> least a few days of notice for that.  We will keep this list posted on
> the release time frame, and I will let you know when the email goes to
> oss-security, as distributions should feel free to apply the fix at
> that time, I guess.

Brilliant, thank you.

One point regarding issue credit yet. Having look at upstream report
suggests the issue was reported with username with nick 'darkrain42'.

Do you potentially know their real name? Or will Pidgin upstream credit
the reporter as 'darkrain42' in your advisory too?

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

>
> We may need to discuss this one, maybe the proverbial cat is already
> out of the bag and I need to just push the patch.
>
> Ethan

More information about the Packagers mailing list