CVE-2008-2828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2828): Stack-based buffer overflow in tmsnc allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an MSN packet with a UBX commands containing a large UBX payload length field.
Created attachment 159737 [details, diff] tmsnc-UBX-buffer-overflow-CVE-2008-2828 here's the patch from Nico Golde. net-im, please bump as necessary.
(In reply to comment #1) > Created an attachment (id=159737) [edit] > tmsnc-UBX-buffer-overflow-CVE-2008-2828 > > here's the patch from Nico Golde. net-im, please bump as necessary. > *ping*
+*tmsnc-0.3.2-r1 (04 Oct 2008) + + 04 Oct 2008; Robert Buchholz <rbu@gentoo.org> + +files/tmsnc-UBX-buffer-overflow-CVE-2008-2828.patch, + +tmsnc-0.3.2-r1.ebuild: + Fix stack based buffer overflow (security bug #229157) +
Arches, please test and mark stable: =net-im/tmsnc-0.3.2-r1 Target keywords : "amd64 hppa ppc x86"
Hmm, I get "The protocols doesn't match"[sic] during login. Any ideas?
In June/July there has been a protocol change in ICQ, all ICQ clients were affected. tmsnc is discontinued, their SVN tree (http://tmsnc.svn.sourceforge.net/viewvc/tmsnc/so) is 2 years old. If 0.3.2 does not work anymore, it's very likely we won't get a fix. Proposed solutions: a) we fix it b) remove it from the tree Also see: http://forums.gentoo.org/viewtopic-t-698545-highlight-licq.html
I guess I should have tried more than a program startup. I'm removing arches, let's remove this.
gone from the tree
glsa still to be sent
GLSA 200903-26