"Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow."
thanks for the report.
I know this isn't some high priority, used widely package, but the fix is something like:
and it's been over a month… ;)
*libgadu-1.11.3 (06 May 2014)
06 May 2014; Manuel Rüger <firstname.lastname@example.org> +libgadu-1.11.3.ebuild,
Version bump. See bug #505558
Ebuild in tree. Package has stable keywords. Stabilization required, before removing vulnerable versions.
Please advise when ready to proceed with stabilization.
=net-libs/libgadu-1.11.4 is ready to be stabilized.
libgadu-1.11.4 instead of 1.11.3, because of bug 510714.
Arches, please test and mark stable:
Target Keywords : "alpha amd64 hppa ia64 ppc ppc64 spark x86"
Stable for HPPA.
Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg)
parser in Pidgin before 2.10.8 allows remote attackers to have an
unspecified impact via a large Content-Length value, which triggers a buffer
New stable has regression: bug #520946
arm stable, all arches done.
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).
New GLSA Request filed.
Affected versions dropped.
This issue was resolved and addressed in
GLSA 201508-02 at https://security.gentoo.org/glsa/201508-02
by GLSA coordinator Yury German (BlueKnight).