Additional Security issues
Ethan Blanton
elb at pidgin.im
Wed Feb 6 08:37:12 EST 2013
Mark Doliner spake unto us the following wisdom:
> On Tue, Feb 5, 2013 at 2:11 PM, Daniel Atallah <daniel.atallah at gmail.com> wrote:
> > * CID 732103 - Fix non-NUL terminated buffer during oscar direct
> > connection negotiation.
> > ** I think this one is pretty severe - my patch is certainly not ideal
>
> This is bad and we should fix it (your patch seems ok to me), but I
> don't think it's a security problem because the local user must have
> agreed to join the Direct IM session with the remote user. I believe
> we generally don't request CVE in cases like this.
If it's just a crasher, I agree -- if it's (potentially) exploitable,
though, I think it needs a CVE.
Ethan
More information about the security
mailing list