Denial of Service vulnerability in Pidgin
Mark Doliner
mark at kingant.net
Wed Jun 22 04:05:18 EDT 2011
Please do not publicly release this information or these files until
after the embargo date!
I've built Pidgin 2.9.0 with my fix and a few other bug fixes, mostly
for regression and crash bugs. The full list of changes is below. The
files are at http://pidgin.im/~markdoliner/KafAR89n2j2F/ I'm also
attaching a slightly updated patch. I think the differences between
this one and the first one are basically cosmetic. The changes have
not been pushed to our public code repository.
The release is currently targeted for Thursday 10pm US Pacific time /
Friday 5am UTC, but it's possible this will be postponed if Gnome/Red
Hat/whoever wants to do a coordinated disclosure for a later date. If
that happens, I'll let you know. I also do not have a CVE yet--I'm
hoping to hear back from Jan about that.
--Mark
The changes in 2.9.0 are:
Pidgin:
* Fix a potential remote denial-of-service bug related to displaying
buddy icons.
* Significantly improved performance of larger IRC channels (regression
introduced in 2.8.0).
* Fix Conversation->Add on AIM and MSN.
* Entries in the chat user list are sorted properly again. This was
inadvertenly broken in 2.8.0.
Finch:
* Fix logging in to ICQ.
libpurple:
* media: Actually use the specified TCP port from the TURN configuration to
create a TCP relay candidate.
AIM and ICQ:
* Fix crashes on some non-mainstream OSes when attempting to
printf("%s", NULL). (Clemens Huebner) (#14297)
Plugins:
* The Evolution Integration plugin compiles again.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_gdkpixbuf_gerror-2.diff
Type: text/x-patch
Size: 31973 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110622/6d006127/attachment-0001.bin>
More information about the Packagers
mailing list