Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276000 (CVE-2009-1889) - <net-im/pidgin-2.5.8: Remote Oscar protocol DoS (CVE-2009-1889)
Summary: <net-im/pidgin-2.5.8: Remote Oscar protocol DoS (CVE-2009-1889)
Status: RESOLVED FIXED
Alias: CVE-2009-1889
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://developer.pidgin.im/ticket/9483
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-30 20:41 UTC by Alex Legler (RETIRED)
Modified: 2009-10-22 19:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-30 20:41:44 UTC
Quoting Jan Lieskovsky <jlieskov@redhat.com>:
> [...]
> Flaw description:
> -----------------
> An out-of-memory denial of service flaw was found in the Pidgin's
> OSCAR protocol implementation. If a remote ICQ user sent a web
> message to the local Pidgin user using this protocol, it would lead to
> excessive memory allocation and denial of service (Pidgin crash).
>
> Affected Pidgin versions: 2.4.0 <= Pidgin <= 2.5.7
>
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-30 21:05:55 UTC
net-im: Can we go stable with 2.5.8?
Comment 2 Olivier Crete (RETIRED) gentoo-dev 2009-07-06 10:56:57 UTC
Sure, lets to stable
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-06 11:00:06 UTC
Alright.

Arches, please test and mark stable:
=net-im/pidgin-2.5.8
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:54:45 UTC
ppc64 done
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:54:53 UTC
ppc done
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2009-07-06 20:26:15 UTC
Sparc stable.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-06 20:53:56 UTC
Stable for HPPA.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-07 18:14:42 UTC
x86 stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-07 20:30:36 UTC
amd64 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-07-08 14:21:16 UTC
alpha/ia64 stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-08 20:32:48 UTC
Ready for vote. I vote YES.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:53:25 UTC
client crash, I vote NO. just restart your client or don't use malicious icq servers.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 17:57:07 UTC
MITM would be possible and could lead to a connection to an evil server, but if you can do MITM already you can use other means for DOS anyways.

So, I vote NO, too. Closing.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 18:47:20 UTC
I first read server instead of user. Doesn't matter, it's still only a client crash.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-26 20:13:46 UTC
Since a GLSA has been drafted for a few other issues, this could easily be included.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-22 19:12:14 UTC
GLSA 200910-02, thanks everyone.