Lots of crashes (exploitable?) reported in Fedora

Ethan Blanton elb at pidgin.im
Fri Apr 13 14:19:51 EDT 2012


Vincent Danen spake unto us the following wisdom:
> Hi folks.  I'm not sure whether this should be considered
> security-sensitive or not, but we've had a number of crashes reported on
> pidgin in Fedora:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=720781

Are the extra threads created by the crash-reporting process, or is
Fedora doing something stupid with plugins?  I see at least some of
those include third-party plugins, some of which I do not recognize.

The threads seem to be using different glib contexts, so they may be
safe, but ...

> The bug is public as these were all sent by abrt collecting info on
> Pidgin crashes and they seem to be all over the place.  I have not much
> experience with Pidgin or trying to determine whether or not these might
> be considered security flaws, but could you take a look at the bug and
> see if might be?
> 
> Again, the bug is public but I wanted to give you a heads-up.  I don't
> believe these are more than crashes, but at least one user in the bug
> seems to think these should be security-relevant.

The crash-on-demand from a jabber call is indeed concerning.

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120413/9c092f9d/attachment.pgp>


More information about the security mailing list