Gaim plans on releasing 1.3.1 on Thursday to fix a Yahoo DoS. It is possible to crash gaim by sending a file transfer of a file with a file name with some character sets.
Patch @ http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/protocols/yahoo/yahoo_filexfer.c?r1=1.13.2.9&r2=1.13.2.10&diff_format=u rizzo: please don't commit anything until the public release. Then it's your call between applying the patch to the current one, or releasing a pure 1.3.1.
I'd rather just wait for 1.3.1. It will be out tomorrow night.
An MSN DOS was also posted today to the gaim-packagers list which *should* be fixed for 1.3.1 as well.
gaim-1.3.1 is now in portage, stable x86, unstable all others.
MSN Remote DoS (CAN-2005-1934) Discovered By Hugo de Bokkenrijder Remote attackers can cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error. Remote Yahoo! crash (CAN-2005-1269) Discovered By Jacopo Ottaviani Remote denial of service when being offered files with names containing non-ASCII characters.
Target KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86" Arches, please test and mark stable
sparc stable.
Stable on ppc.
stable on amd64
stable on alpha ia64
arm stable
stable on ppc64
Stable on hppa.
GLSA 200506-11 mips: remember to mark stable to benefir from GLSA
Stable on mips.