Proposed text for MSN emoticon DoS
John Bailey
rekkanoryo at rekkanoryo.org
Wed May 12 01:21:14 EDT 2010
I'm proposing this for the security news page to explain the DoS fixed in 2.7.0:
array(
"title" => "MSN emoticon denial of service",
"date" => "2010-05-12",
"cve" => "",
"summary" => "Libpurple clients can crash due to malformed SLP message",
"description" => "A vulnerability was discovered in libpurple's MSN
protocol plugin that can cause a denial of service (crash) due to insufficient
validation of certain SLP packets related to custom emoticons. An attacker
could use this vulnerability to remotely crash a client using libpurple for
MSN. It is not possible for this vulnerability to be exploited for code
execution.",
"fix" => "Validation has been added to the MSN plugin to prevent
the crash.",
"fixrevisions" => "894460d22c434e73d60b71ec031611988e687c8b",
"fixedversion" => "2.7.0",
"discoveredby" => "Pierre Noguès of Meta Security"
)
Obviously the revision referenced doesn't exist for any of you yet, but in my
local database, this revision is Elliott's patch to fix the crash.
Input welcome :)
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100512/467118bf/attachment.pgp>
More information about the security
mailing list