Denial of Service Vulnerabilities

Daniel Atallah daniel.atallah at gmail.com
Tue Feb 26 12:19:29 EST 2013


On Mon, Feb 25, 2013 at 9:14 AM, Fabian Yamaguchi
<fabian.yamaguchi at cs.uni-goettingen.de> wrote:
> Hi Pidgin Security Team,
>
> we would like to report some denial of service vulnerabilities we
> found during our research on automatically identifying missing checks
> in source code. Two of these crashes can be triggered by another user.

Thanks for your analysis, we always appreciate this type of report.

I took an initial look at all of the issues reported and agree with
the assessments.

The one note is that I think (5) mxit_add_buddy NULL pointer deref.
isn't actually a security problem as such since it can only be
triggered by the user directly.

We will get CVEs for the rest of these items and address them
(hopefully in the next 2.10.8 release (no date set yet)).
We will credit "Fabian Yamaguchi and Christian Wressnegger of the
University of Goettingen" with finding these - does that sound
correct?

<SNIP>

Thanks again,
-D


More information about the security mailing list