XMMP/Jabber clients DoS vulnerability report

Andrea Barisani lcars at ocert.org
Sun Feb 14 17:29:09 EST 2010

On Sun, Feb 14, 2010 at 12:53:56PM -0800, Mark Doliner wrote:
> On Thu, Jan 28, 2010 at 1:41 AM, Andrea Barisani <lcars at ocert.org> wrote:
> > On Wed, Jan 27, 2010 at 10:45:50PM -0500, Ethan Blanton wrote:
> >> Andrea Barisani spake unto us the following wisdom:
> >> > oCERT is mainly concerned about the issue not being exploitable as we
> >> > generally don't issue advisory about "simple DoS conditions.
> >>
> >> This is not an exploitable bug, it is simply a denial of service
> >> through resource allocation.
> *snip*
> > We won't release a public advisory (unless you specifically want us to).
> > Embargo date sounds good to us, if you send us a patch we will forward it to
> > vendor-sec and/or other linux vendors pointing out the embargo date to speed
> > up patching if you like. Just make sure you give us the exact date if
> > possible, so that I can reference that.
> Ari Pollak from Debian asked if there is a CVE# for this issue?  I
> don't believe there is, but I thought I would check.
> I think in the past we have had CVE#s issued for denial of service
> bugs like this.  Unless you have any objections I guess I'll ask one
> of the distributions who packages Pidgin to request a CVE# for this.
> I don't know if that's something that oCERT usually does?  Or if you
> have a preference who requests the number?

Please use CVE-2010-0423 which was assinged for this.


> --Mark

Andrea Barisani |                Founder & Project Coordinator
          oCERT | Open Source Computer Emergency Response Team

<lcars at ocert.org>                         http://www.ocert.org
 0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
        "Pluralitas non est ponenda sine necessitate"

More information about the security mailing list