Additional Security issues

Ethan Blanton elb at
Wed Feb 6 08:37:12 EST 2013

Mark Doliner spake unto us the following wisdom:
> On Tue, Feb 5, 2013 at 2:11 PM, Daniel Atallah <daniel.atallah at> wrote:
> >  * CID 732103 - Fix non-NUL terminated buffer during oscar direct
> > connection negotiation.
> >  ** I think this one is pretty severe - my patch is certainly not ideal
> This is bad and we should fix it (your patch seems ok to me), but I
> don't think it's a security problem because the local user must have
> agreed to join the Direct IM session with the remote user.  I believe
> we generally don't request CVE in cases like this.

If it's just a crasher, I agree -- if it's (potentially) exploitable,
though, I think it needs a CVE.


More information about the security mailing list