324023 – (CVE-2010-1624) net-im/pidgin denial of service via a custom emoticon in a malformed SLP message (CVE-2010-1624)

Bug 324023 (CVE-2010-1624) - net-im/pidgin denial of service via a custom emoticon in a malformed SLP message (CVE-2010-1624)

Summary: net-im/pidgin denial of service via a custom emoticon in a malformed SLP mess...

Status:	RESOLVED FIXED

Alias:	CVE-2010-1624

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://www.pidgin.im/news/security/in...
Whiteboard:	B4 [noglsa]
Keywords:

Duplicates (1):	324701 (view as bug list)
Depends on:	322813
Blocks:	324077
	Show dependency tree

Reported:	2010-06-14 21:50 UTC by Matthias Geerdsen (RETIRED)
Modified:	2010-09-29 21:38 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Geerdsen (RETIRED) gentoo-dev

2010-06-14 21:50:07 UTC

CVE-2010-1624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1624):
  The msn_emoticon_msg function in slp.c in the MSN protocol plugin in
  libpurple in Pidgin before 2.7.0 allows remote attackers to cause a
  denial of service (application crash) via a custom emoticon in a
  malformed SLP message.

Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev

2010-06-15 20:37:35 UTC

net-im, can we go ahead with stabling of 2.7.1-r1?

Comment 2 Olivier Crete (RETIRED) gentoo-dev

2010-06-15 20:52:54 UTC

There are a lot of changes in the ebuild between 2.6.x and 2.7.1-r1 ...

Comment 3 Peter Volkov (RETIRED) gentoo-dev

2010-06-16 19:12:59 UTC

Yup. @security, if nothing pops up (no new bugs, no changes in tree) go ahead on 21 Jun (but I'll try to remember about this bug too).

Comment 4 Peter Volkov (RETIRED) gentoo-dev

2010-07-01 09:57:16 UTC

Ok, arch teams, please stabilize net-im/pidgin-2.7.1-r1 (and new net-libs/libgadu dependency as required).

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2010-07-01 11:36:40 UTC

(In reply to comment #4)
> Ok, arch teams, please stabilize net-im/pidgin-2.7.1-r1 (and new
> net-libs/libgadu dependency as required).

 No newer libgadu is needed according to DEPEND line..

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2010-07-01 11:38:46 UTC

x86 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2010-07-01 19:01:31 UTC

Stable for HPPA.

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2010-07-03 16:10:20 UTC

alpha/ia64/sparc stable

Comment 9 Pacho Ramos gentoo-dev

2010-07-08 09:17:04 UTC

*** Bug 324701 has been marked as a duplicate of this bug. ***

Comment 10 Brent Baude (RETIRED) gentoo-dev

2010-07-08 17:48:45 UTC

ppc64 done

Comment 11 Markos Chandras (RETIRED) gentoo-dev

2010-07-11 10:30:27 UTC

amd64 done

Comment 12 Joe Jezak (RETIRED) gentoo-dev

2010-07-19 00:40:18 UTC

Marked ppc stable.

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2010-08-01 12:36:43 UTC

DOS in client app -> closing noglsa.

Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev

2010-09-29 21:38:38 UTC

...and actually closing.