Pidgin 2.8.0: MSN, No QQ...
darkrain42 at pidgin.im
Fri May 13 09:35:01 EDT 2011
And Jan Lieskovsky spoke on 05/12/2011 08:53 AM, saying:
> This does not sound like a security flaw. If the attacker can MITM a pidgin
> user, they could insert / modify all their data.
> Why Pidgin upstream thinks this should be considered a security issue?
I think we were on the fence about whether it should be or not.
> Having read your above description, would formulate the problem as:
> A NULL pointer deference flaw was found in the way Pidgin MSN protocol handler
> processed user session identifier data from a HTTP connection. A remote
> attacker could use this flaw to spoof the Pidgin client and conduct
> man-in-the-middle (MITM) attacks via specially-crafted user session
> leading to Pidgin crash.
> But if the above paragraph is correct, this would not be considered to
> be a security issue (if the attacker can MITM / insert crafted
> they can modify everything).
This write-up looks accurate based on my understanding of the issue, so it
sounds like we shouldn't be considering it a security flaw.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 900 bytes
Desc: OpenPGP digital signature
More information about the Packagers