Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 276000 (CVE-2009-1889)

Summary: <net-im/pidgin-2.5.8: Remote Oscar protocol DoS (CVE-2009-1889)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: magowiz, net-im
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://developer.pidgin.im/ticket/9483
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-30 20:41:44 UTC 
Quoting Jan Lieskovsky <jlieskov@redhat.com>:
> [...]
> Flaw description:
> -----------------
> An out-of-memory denial of service flaw was found in the Pidgin's
> OSCAR protocol implementation. If a remote ICQ user sent a web
> message to the local Pidgin user using this protocol, it would lead to
> excessive memory allocation and denial of service (Pidgin crash).
>
> Affected Pidgin versions: 2.4.0 <= Pidgin <= 2.5.7
>
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-30 21:05:55 UTC 
net-im: Can we go stable with 2.5.8?
Comment 2 Olivier Crete (RETIRED) gentoo-dev 2009-07-06 10:56:57 UTC 
Sure, lets to stable
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-06 11:00:06 UTC 
Alright.

Arches, please test and mark stable:
=net-im/pidgin-2.5.8
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:54:45 UTC 
ppc64 done
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-07-06 18:54:53 UTC 
ppc done
Comment 6 Ferris McCormick (RETIRED) gentoo-dev 2009-07-06 20:26:15 UTC 
Sparc stable.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-06 20:53:56 UTC 
Stable for HPPA.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-07 18:14:42 UTC 
x86 stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-07 20:30:36 UTC 
amd64 stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-07-08 14:21:16 UTC 
alpha/ia64 stable
Comment 11 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-08 20:32:48 UTC 
Ready for vote. I vote YES.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 10:53:25 UTC 
client crash, I vote NO. just restart your client or don't use malicious icq servers.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 17:57:07 UTC 
MITM would be possible and could lead to a connection to an evil server, but if you can do MITM already you can use other means for DOS anyways.

So, I vote NO, too. Closing.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-10 18:47:20 UTC 
I first read server instead of user. Doesn't matter, it's still only a client crash.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-26 20:13:46 UTC 
Since a GLSA has been drafted for a few other issues, this could easily be included.
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-22 19:12:14 UTC 
GLSA 200910-02, thanks everyone.