Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 324023 (CVE-2010-1624)

Summary: net-im/pidgin denial of service via a custom emoticon in a malformed SLP message (CVE-2010-1624)
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-im, pacho
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.pidgin.im/news/security/index.php?id=46
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 322813    
Bug Blocks: 324077    

Description Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-14 21:50:07 UTC 
CVE-2010-1624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1624):
  The msn_emoticon_msg function in slp.c in the MSN protocol plugin in
  libpurple in Pidgin before 2.7.0 allows remote attackers to cause a
  denial of service (application crash) via a custom emoticon in a
  malformed SLP message.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2010-06-15 20:37:35 UTC 
net-im, can we go ahead with stabling of 2.7.1-r1?
Comment 2 Olivier Crete (RETIRED) gentoo-dev 2010-06-15 20:52:54 UTC 
There are a lot of changes in the ebuild between 2.6.x and 2.7.1-r1 ...
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2010-06-16 19:12:59 UTC 
Yup. @security, if nothing pops up (no new bugs, no changes in tree) go ahead on 21 Jun (but I'll try to remember about this bug too).
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2010-07-01 09:57:16 UTC 
Ok, arch teams, please stabilize net-im/pidgin-2.7.1-r1 (and new net-libs/libgadu dependency as required).
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-01 11:36:40 UTC 
(In reply to comment #4)
> Ok, arch teams, please stabilize net-im/pidgin-2.7.1-r1 (and new
> net-libs/libgadu dependency as required).

 No newer libgadu is needed according to DEPEND line..
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-01 11:38:46 UTC 
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-01 19:01:31 UTC 
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2010-07-03 16:10:20 UTC 
alpha/ia64/sparc stable
Comment 9 Pacho Ramos gentoo-dev 2010-07-08 09:17:04 UTC 
*** Bug 324701 has been marked as a duplicate of this bug. ***
Comment 10 Brent Baude (RETIRED) gentoo-dev 2010-07-08 17:48:45 UTC 
ppc64 done
Comment 11 Markos Chandras (RETIRED) gentoo-dev 2010-07-11 10:30:27 UTC 
amd64 done
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2010-07-19 00:40:18 UTC 
Marked ppc stable.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2010-08-01 12:36:43 UTC 
DOS in client app -> closing noglsa.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2010-09-29 21:38:38 UTC 
...and actually closing.