Comment 1 Peter Volkov (RETIRED) 2010-07-22 14:54:55 UTC

This is fixed in pidgin-2.7.2. Arch teams, please, stabilize.

Comment 2 Samuli Suominen (RETIRED) 2010-07-22 15:19:37 UTC

Commit by markdoliner@pidgin.im on im.pidgin.pidgin.2.7.2  :: 

"Problem #1 (the remotely-triggerable crash):
The crash happens when a buddy sets an xstatus message containing <desc>
but no closing </desc>, or <title> but no closing </title>. The fix
is to check the result of strstr(closing_tag_name) and do nothing if it
is NULL. This is CVE-2010-2528."

Comment 3 Paweł Hajdan, Jr. (RETIRED) 2010-07-22 22:00:04 UTC

x86 stable

Comment 4 Tobias Klausmann (RETIRED) 2010-07-23 11:15:59 UTC

Stable on alpha.

Comment 5 Markus Meier 2010-07-23 11:43:52 UTC

amd64 stable

Comment 6 Raúl Porcel (RETIRED) 2010-07-24 15:16:03 UTC

alpha/ia64/sparc stable

Comment 7 Jeroen Roovers (RETIRED) 2010-07-24 16:48:58 UTC

Stable for HPPA.

Comment 8 Jeroen Roovers (RETIRED) 2010-08-06 15:55:48 UTC

Stable for PPC.

Comment 9 Brent Baude (RETIRED) 2010-08-10 16:07:21 UTC

ppc64 done

Comment 10 Stefan Behte (RETIRED) 2010-09-03 21:48:14 UTC

CVE-2010-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2528):
  The clientautoresp function in family_icbm.c in the oscar protocol
  plugin in libpurple in Pidgin before 2.7.2 allows remote
  authenticated users to cause a denial of service (NULL pointer
  dereference and application crash) via an X-Status message that lacks
  the expected end tag for a (1) desc or (2) title element.

Comment 11 Tim Sammut (RETIRED) 2010-11-19 07:28:04 UTC

GLSA Vote: Yes, DoS in popular client software.

Comment 12 Stefan Behte (RETIRED) 2010-11-21 17:03:27 UTC

Vote: NO, DOS in client app only.

Comment 13 Sune Kloppenborg Jeppesen (RETIRED) 2011-01-03 20:48:43 UTC

Client crash is hardly a security issue so GLSA Vote: no -> Closing. Feel free to reopen if you disagree.