"Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow." Reproducible: Always
thanks for the report.
I know this isn't some high priority, used widely package, but the fix is something like: mv libgadu-1.11.{2,3}.ebuild and it's been over a month… ;)
*libgadu-1.11.3 (06 May 2014) 06 May 2014; Manuel Rüger <mrueg@gentoo.org> +libgadu-1.11.3.ebuild, -libgadu-1.11.2.ebuild: Version bump. See bug #505558 Ebuild in tree. Package has stable keywords. Stabilization required, before removing vulnerable versions.
Please advise when ready to proceed with stabilization.
=net-libs/libgadu-1.11.4 is ready to be stabilized. libgadu-1.11.4 instead of 1.11.3, because of bug 510714.
Arches, please test and mark stable: =net-libs/libgadu-1.11.4 Target Keywords : "alpha amd64 hppa ia64 ppc ppc64 spark x86" Thank you!
Stable for HPPA.
amd64 stable
x86 stable
ia64 stable
ppc64 stable
ppc stable
alpha stable
CVE-2013-6487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6487): Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow.
sparc stable
New stable has regression: bug #520946
missing arm..
arm stable, all arches done.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed.
Affected versions dropped.
Thanks, Maciej!
This issue was resolved and addressed in GLSA 201508-02 at https://security.gentoo.org/glsa/201508-02 by GLSA coordinator Yury German (BlueKnight).