Crash in Pidgin and Adium on XMPP MUC Presence
Mark Doliner
mark at kingant.net
Mon Feb 27 02:48:21 EST 2012
Woah, ok, so you're saying these are all the same bug:
- Kevin Stange's "Crash in Pidgin and Adium on XMPP MUC Presence."
- http://developer.pidgin.im/ticket/14864 "Pidgin crashes upon Nick
change in SILC channel"
- http://developer.pidgin.im/ticket/14392 "get_iter_from_chatbuddy can
dereference NULL pointer"
And are all fixed by
http://developer.pidgin.im/viewmtn/revision/info/e30e044988add329e86eaf06a2f6ab1b3c5c47bb?
I haven't looked at them in depth, and my brain isn't working well
enough to do that right now, but I'm willing to believe that. If
that's the case, the revised vulnerability list is:
- Crash when chat room buddies change presence (or nickname?).
Affects at least XMPP and SILC. Reported by Kevin Stange (at the
beginning of this email thread), clh at
http://developer.pidgin.im/ticket/14392, and jefftheriffer at
http://developer.pidgin.im/ticket/14864. Fixed in im.pidgin.pidgin in
http://developer.pidgin.im/viewmtn/revision/info/d1d77da56217f3a083e1d459bef054db9f1d5699.
Backported to im.pidgin.pidgin.2.x.y in
http://developer.pidgin.im/viewmtn/revision/info/e30e044988add329e86eaf06a2f6ab1b3c5c47bb.
This is public. I'm not aware of a CVE. I'll request one from
oss-security at lists.openwall.com a few days before releasing.
- Possible crashes from not validating incoming MSN messages as UTF-8.
Reported by xnyhps in http://developer.pidgin.im/ticket/14884 and
RomainMuller in http://trac.adium.im/ticket/15774. Fixed in
im.pidgin.pidgin in
http://developer.pidgin.im/viewmtn/revision/info/3053d6a37cc6d8774aba7607b992a4408216adcd.
Backported to im.pidgin.pidgin.2.x.y in
http://developer.pidgin.im/viewmtn/revision/info/18f2f94b625542348af0049e0132a83a1c58aef6.
This is public. I'm not aware of a CVE. I'll request one from
oss-security at lists.openwall.com a few days before releasing.
- GTK+ in Windows crashes on non-BMP UTF-8 charpoints
(https://bugzilla.gnome.org/show_bug.cgi?id=668154). Is there
anything we can do about this? It sounds like it might be fixed in
new GTK... maybe we just need to bundle the new version?
More information about the security
mailing list