http://www.pidgin.im/news/security/?id=23 "A remote MSN user that is not on the buddy list can cause a denial of service (crash) by sending a nudge message. The protocol plugin attempts to look up the buddy's information and accesses an invalid memory location if the user is not on the buddy list." Reproducible: Always Steps to Reproduce:
Chaze, thanks for the report. net-im, please advise.
Fix version 2.2.1 is in the tree. Arch teams: please stabilize this version
I'd also like to suggest that this is probably A3 since MSN is popular enough to be considered a default situation...
Sparc stable; looks good.
(In reply to comment #3) > I'd also like to suggest that this is probably A3 since MSN is popular enough > to be considered a default situation... > Probably, but AFAICT this is a simple client DoS, hardly a security issue... I'll keep it B3 so we'll vote later for glsa need.
alpha/ia64/x86 stable
Stable for HPPA.
ppc stable
amd64 stable
I removed all vulnerable versions from the tree. Its your turn now.
(In reply to comment #5) > Probably, but AFAICT this is a simple client DoS, hardly a security issue... > I'll keep it B3 so we'll vote later for glsa need. Since this can be triggered remotely and by anyone, I'd say this is more than a "simple DoS" (as in "I start my application on this file and it crashes").
(In reply to comment #11) > (In reply to comment #5) > > Probably, but AFAICT this is a simple client DoS, hardly a security issue... > > I'll keep it B3 so we'll vote later for glsa need. > > Since this can be triggered remotely and by anyone, I'd say this is more than a > "simple DoS" (as in "I start my application on this file and it crashes"). > true, I missed that. I tend to vote YES then.
As a general rule we don't GLSA client-side DoS. I don't see anything here that makes it more than that.
I vote NO -> closing with NO GLSA (2 no votes - ½? yes).
