Format String Bug into libsilcclient 1.1.2

Joilson Rabelo joilson.rabello at gmail.com
Fri Oct 14 17:28:08 EDT 2011


I just tried to exploit it last year and it worked, yes it is the windows
package, anyway, i'm going to check if it's still vulnerable

On Fri, Oct 14, 2011 at 6:20 PM, Daniel Atallah <daniel.atallah at gmail.com>wrote:

> On Fri, Oct 14, 2011 at 17:01, Ethan Blanton <elb at pidgin.im> wrote:
> > Joilson Rabelo spake unto us the following wisdom:
> >> Libsilcclient 1.1.2 dll is vulnerable to format string attacks since
> 2009
> >> and i'd like to know why you guys did not updated it?
> >>
> >> Pidgin 2.10 is obviously vulnerable since it uses 1.1.2, please upgrade
> to
> >> 1.1.3 and the problem is going to be solved, it's a serious bug and can
> lead
> >> to Remote Code Execution
> >
> > I assume you are talking specifically about our Windows package, is
> > that true?  (We do not bundle libsilc with our sources.)
>
> The Windows Package currently ships with libsilc 1.1.8.
>
> The name of the DLL is still "libsilcclient-1-1-2.dll" due to how the
> libsilc build scripts work.
>
> -D
>



-- 
Joilson Rabelo

Computer Engineering ( undergraduate ) - UNIFACS
Researcher, Tsar - http://shinku.tsar.in
Undergraduate Researcher, Fapesb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111014/eeed7696/attachment.html>


More information about the security mailing list