Launchpad has imported 6 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=453764.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2008-07-02T13:14:49+00:00 Josh wrote: An integer overflow in Pidgin's MSN protocol handler could allow malformed SLP message to cause an integer overflow, which could result in arbitrary code execution. This flaw is only exploitable by individuals who can message a user, which is controlled by the Pidgin privacy setting. The default setting is to only allow messages from users in the buddy list. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/0 ------------------------------------------------------------------------ On 2008-07-02T13:14:49+00:00 Josh wrote: Created attachment 310788 Proposed upstream patch Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/1 ------------------------------------------------------------------------ On 2008-07-02T14:37:24+00:00 Warren wrote: # # # patch "libpurple/protocols/msnp9/slplink.c" # from [0148f31961bbe4a9a992377e70db082952505db4] # to [f65596ea173bf7c9c1114edd7599140f470e7788] # ============================================================ --- libpurple/protocols/msnp9/slplink.c 0148f31961bbe4a9a992377e70db082952505db4 +++ libpurple/protocols/msnp9/slplink.c f65596ea173bf7c9c1114edd7599140f470e7788 @@ -597,7 +597,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl } else if (slpmsg->size) { - if ((offset + len) > slpmsg->size) + if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size) { purple_debug_error("msn", "Oversized slpmsg\n"); g_return_if_reached(); For reference, this is the upstream patch that went into 2.4.3. I need to backport this for pidgin-2.3.1 in RHEL4 and RHEL5, and pidgin-1.5.x in RHEL3. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/2 ------------------------------------------------------------------------ On 2008-07-04T02:01:38+00:00 Josh wrote: I'm making this bug public in order to avoid creating confusion. Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/3 ------------------------------------------------------------------------ On 2008-08-27T19:50:04+00:00 Tomas wrote: Upstream advisory: http://www.pidgin.im/news/security/?id=25 Fixed upstream in: 2.4.3 Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/8 ------------------------------------------------------------------------ On 2009-06-09T07:14:17+00:00 Red wrote: This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0584.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5597 https://admin.fedoraproject.org/updates/F11/FEDORA-2009-5583 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-5552 Reply at: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/comments/10 ** Changed in: pidgin (Fedora) Status: Unknown => Fix Released ** Changed in: pidgin (Fedora) Importance: Unknown => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pidgin in Ubuntu. https://bugs.launchpad.net/bugs/245770 Title: [CVE-2008-2927] MSN integer overflow in Pidgin Status in pidgin package in Ubuntu: Fix Released Status in pidgin package in Debian: Fix Released Status in pidgin package in Fedora: Fix Released Bug description: Binary package hint: pidgin CVE-2008-2927 is a remote buffer overflow vulnerability in the MSN protocol handler. Apparently it can lead to arbitrary code execution. It's not yet in the public vulnerability databases, so please see the Debian bug for reference: <http://bugs.debian.org/cgi- bin/bugreport.cgi?bug=488632>. I think it is the same issue as described in this Bugtraq post <http://www.securityfocus.com/archive/1/493682/30/60/threaded>. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/245770/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
