A security bug in the Skype user client, for all platforms, has been identified and fixed. Skype can be remotely forced to crash due to an error in bounds checking in a specific networking routine. Discussion An attacker who sends a stream of specifically-crafted network traffic to a Skype client network can cause the client to overwrite part of the heap, including the heap integrity control data. Since the attacker cannot control the address where the data is written, the most likely effect will be that the Skype will abort execution due to an internal error, although other unpredictable behavior is possible. Such a crash will lead to a loss of availability of the Skype application until it is restarted by the user. Skype has been able to induce Skype clients to crash, but has not been able to cause the client to execute specific instructions. This is tracked by Mitre CVE ID CVE-2005-3267. http://www.skype.com/security/skype-sb-2005-03.html
net-im, please provide fixed ebuilds
fixed version in portage now, older versions removed.
never stable -> no GLSA. we are done, thanks everybody.
(In reply to comment #3) > never stable -> no GLSA. we are done, thanks everybody. > http://www.gentoo.org/cgi-bin/viewcvs.cgi/net-im/skype/skype-1.0.0.1.ebuild?view=markup At least 1.0.0.1 has been stable. The ChangeLog does not give any clues why this has been dropped to only ~arch.
Yes, you're right, it's been stable for about 3-4 months at version 1.0.0.1... net-im, do you think one of the recent fixed version would make a good candidate for stable ? In which case we could issue a GLSA when it's done...
