On Thu, Apr 07, 2005 at 05:33:13PM +0100, Adam D. Barratt wrote: > tags - sid > thanks > > On Thursday, April 07, 2005 4:29 PM, Helge Kreutzmann > <[EMAIL PROTECTED]> wrote: > > > Unfortunately the CAN-pages are not yet present, the summary on > > http://lwn.net/Articles/130537/ > > > > seems to indicate, that "only" a DOS is possible, if indeed > > information *from* the user can be extracted, than please raise the > > priority.
I'm not sure how you think from reading that, or our description, or the patch involved, that information could go back to the attacker. One crashes in question *presumes* that pango cannot handle arbitrarily large font sizes, an assumption that I do not think has been tested. the other assumes that gaim/gtk will not prevent sufficient windows from opening such that gaim crashes. This second one is quite possible. > > > > If you've fixed them in 1:1.2.1-1 or earlier please remove the sid-tag > > (and maybe add a CAN in an later upload). > > According to http://gaim.sourceforge.net/security/ CAN-2005-096[5-7] were > all fixed in upstream's 1.2.1 release; settings tags appropriately. (fwiw, > as far as I can see 1:1.2.1-1 should be entering sarge in the next couple of > days, rendering this as a woody-only issue). > > The changelog for 1:1.2.1-1 says > > * New upstream version. Fixes IRC escaping remote DOS problems, hence > medium > priority. > > which I would assume is a reference to CAN-2005-0966 Right, these are fixed in 1.2.1 upstream, and thus in Robot101 & Ari's 1.2.1-1 package. luke > > Regards, > > Adam > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
