Pidgin 2.10.4 and a possible remote crash
Mark Doliner
mark at kingant.net
Mon May 7 01:34:30 EDT 2012
FYI we just released Pidgin 2.10.4. Publicly we listed two potential
remote crashes. Privately, I'm not concerned about the XMPP one at
all. I think it requires the victim to accept a file transfer before
the crash is triggered. The reporter obtained a CVE for this on his
own (CVE-2012-2214).
The MSN remote crash seems worse to me. I think it's worth patching.
I don't believe a CVE exists for this, and I'm about to request one.
Info about the two problems here:
http://pidgin.im/news/security/?id=62 (xmpp)
http://pidgin.im/news/security/?id=63 (msn)
Diff to fix the XMPP bug:
http://developer.pidgin.im/viewmtn/revision/rawdiff/ff142855237badeceb6d61e1d96f0410f94d6eaf/with/d991ff6d558d185527a09eae0378edb3fc7057a5
Diff to fix the MSN bug:
http://developer.pidgin.im/viewmtn/revision/rawdiff/d991ff6d558d185527a09eae0378edb3fc7057a5/with/94cbd5a68ee237c970d8bd6d9d53106f1b9627ad
In addition, 2.10.4 supports building against the renamed "Farstream"
library for voice and video (in addition to the original "Farsight"
name).
More information about the Packagers
mailing list