Launchpad has imported 6 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=453764.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2008-07-02T13:14:49+00:00 Josh wrote: An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP message to cause an integer overflow, which could result in arbitrary code execution. This flaw is only exploitable by individuals who can message a user, which is controlled by the Pidgin privacy setting. The default setting is to only allow messages from users in the buddy list. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/0 ------------------------------------------------------------------------ On 2008-07-02T13:14:49+00:00 Josh wrote: Created attachment 310788 Proposed upstream patch Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/1 ------------------------------------------------------------------------ On 2008-07-02T14:37:24+00:00 Warren wrote: # # # patch "libpurple/protocols/msnp9/slplink.c" # from [0148f31961bbe4a9a992377e70db082952505db4] # to [f65596ea173bf7c9c1114edd7599140f470e7788] # ============================================================ --- libpurple/protocols/msnp9/slplink.c 0148f31961bbe4a9a992377e70db082952505db4 +++ libpurple/protocols/msnp9/slplink.c f65596ea173bf7c9c1114edd7599140f470e7788 @@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl } else if (slpmsg->size) { - if ((offset + len) > slpmsg->size) + if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size) { purple_debug_error("msn", "Oversized slpmsg\n"); g_return_if_reached(); For reference, this is the upstream patch that went into 2.4.3. I need to backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/2 ------------------------------------------------------------------------ On 2008-07-04T02:01:38+00:00 Josh wrote: I'm making this bug public in order to avoid creating confusion. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/3 ------------------------------------------------------------------------ On 2008-08-27T19:50:04+00:00 Tomas wrote: Upstream advisory: http://www.pidgin.im/news/security/?id=25 Fixed upstream in: 2.4.3 Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/8 ------------------------------------------------------------------------ On 2009-06-09T07:14:17+00:00 Red wrote: This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0584.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5597 https://admin.fedoraproject.org/updates/F11/FEDORA-2009-5583 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-5552 Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/10 ** Changed in: pidgin (Fedora) Status: Unknown => Fix Released ** Changed in: pidgin (Fedora) Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/245770 Title: [CVE-2008-2927] MSN integer overflow in Pidgin To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
