From ${URL} : A crafted message from the file relay server may cause memory to beoverwritten. The memory is not overwritten with data sent directly by the server, but security implications cannot be ruled out. The bug is public: http://lists.ziew.org/pipermail/libgadu-devel/2014-May/001171.html http://lists.ziew.org/pipermail/libgadu-devel/2014-May/001180.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
libgadu-1.11.4 and 1.12.0 are in tree. =net-libs/libgadu-1.11.4 should be stabilized also because of bug 505558.
Being stabilized as part of bug #505558
CVE-2014-3775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3775): libgadu before 1.11.4 and 1.12.0 before 1.12.0-rc3, as used in Pidgin and other products, allows remote Gadu-Gadu file relay servers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted message.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). Added to existing GLSA Request
This issue was resolved and addressed in GLSA 201508-02 at https://security.gentoo.org/glsa/201508-02 by GLSA coordinator Yury German (BlueKnight).