libgadu before 1.8.2 allows remote servers to cause a denial of
service (crash) via a contact description with a large length, which
triggers a buffer over-read.
Any word on an updated ebuild? The goal for a B4 fix is 20 days.
*PING* as timeline for B4 is 40 days
This bug should be merged with version bump request in bug #244424 maybe?
*libgadu-1.8.2 (04 Feb 2009)
04 Feb 2009; Robert Buchholz <email@example.com>
Version bump (bug #244424), fixing a buffer overread vulnerability (bug
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ia64 ppc sparc x86"
Stable on alpha.
Stable for HPPA.
For anyone who missed that, bug 245572 has kadu waiting for your stable markings as well.
vote: NO, as this is a client library.
"Successful exploitation would require a man-in-the-middle attack or hacking the Gadu-Gadu servers. No known exploits."
That's why voting no, too. Closing noglsa.