Pidgin 2.8.0: MSN, No QQ...
Paul Aurich
darkrain42 at pidgin.im
Fri May 13 09:35:01 EDT 2011
And Jan Lieskovsky spoke on 05/12/2011 08:53 AM, saying:
> This does not sound like a security flaw. If the attacker can MITM a pidgin
> user, they could insert / modify all their data.
>
> Why Pidgin upstream thinks this should be considered a security issue?
I think we were on the fence about whether it should be or not.
> Having read your above description, would formulate the problem as:
>
> A NULL pointer deference flaw was found in the way Pidgin MSN protocol handler
> processed user session identifier data from a HTTP connection. A remote
> attacker could use this flaw to spoof the Pidgin client and conduct
> man-in-the-middle (MITM) attacks via specially-crafted user session
> identifier,
> leading to Pidgin crash.
>
> But if the above paragraph is correct, this would not be considered to
> be a security issue (if the attacker can MITM / insert crafted
> 'full_session_id'
> they can modify everything).
This write-up looks accurate based on my understanding of the issue, so it
sounds like we shouldn't be considering it a security flaw.
~Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110513/7c9d3965/attachment.pgp>
More information about the Packagers
mailing list