I'm a dev on the Pidgin project and I just looked at the original diff
from the CRISP advisory. I wasn't able to find a flaw in the
libpurple source code. If someone can point out exactly how the leak
happens, or provide a proof of concept XML file that demonstrates the
leak, I'll gladly look at
Moritz Muehlenhoff wrote:
Ari, could you check with upstream, whether this has been fixed by now?
I'm pretty sure it's not fixed anywhere. I don't remember the exact
reason why, but I think it had to do with either lack of a good exploit
case, or lack of a proper fix.
--
To UNSUBSCRIBE, e
On Thu, Nov 13, 2008 at 12:23:15PM -0500, Ari Pollak wrote:
> CVE-2008-2956 is the only remaining bug that hasn't been fixed upstream.
> It's not considered serious because of the reasons given earlier:
>
> The other issue (CVE-2008-2956) can only be exploited, when the client
> is connecting to a
CVE-2008-2956 is the only remaining bug that hasn't been fixed upstream.
It's not considered serious because of the reasons given earlier:
The other issue (CVE-2008-2956) can only be exploited, when the client
is connecting to a server that either does not check for malformed XML
or send them. The
This seems like a fairly serious security bug to be left alone for
several months...is there anyone involved in maintaining pidgin working
on patching this?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hi,
According to [1] at least CVE-2008-2957 has been fixed upstream in
version 2.5.0
The fix looks the same as the one from [2] in libpurple/upnp.c but
differs a bit in libpurple/util.c
Unfortunately the upstream SCM is currently down so I was not able to
exract the patch from there.
[1] http:/
Hi,
the only thing which is fixed in 2.4.3 so far is
CVE-2008-2927 but none of the CVE ids included in the bug
report are fixed from what I can see.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot1
Steffen Joeris wrote:
> P.S. Did you check the proposed patches[0][1] yet?
Upstream has still not made a decision about how to fix them, and I
don't want to apply a random patch that may or may not fix the issue
properly.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubsc
reopen 488632
severity 488632 normal
thanks
While I do agree that the remaining issues (CVE-2008-2957, CVE-2008-2956) are
not RC bugs, I still believe they should be addressed. Thus, I reopened the
bug and lowered the severity
to normal.
From what I've read, only people in the buddy list can tr
Hi,
Secunia reports [0] that the bug reported by Juan Pablo Lopez Yacubian on
Buqtraq is also present in 2.4.2.
Greetings,
Kai
[0] http://secunia.com/advisories/30881/
--
Kai Wasserbäch (Kai Wasserbaech)
E-Mail: [EMAIL PROTECTED]
Jabber (debianforum.de): Drizzt
URL: http://wiki.debianforum
Package: pidgin
Severity: grave
Tags: security
Justification: user security hole
Hi
The following email came over the public security list:
There are three pidgin flaws that could use CVE ids.
http://marc.info/?l=bugtraq&m=121449329530282&w=4
And two here:
http://crisp.cs.du.edu/?q=ca2007-1
I
11 matches
Mail list logo
