oss-sec mailing list archives
Re: CVE Request (pidgin)
From: "Steven M. Christey" <coley () linus mitre org>
Date: Tue, 1 Jul 2008 17:25:40 -0400 (EDT)
Note that the UPnP functionality is characterized by the researchers as a bandwidth/disk DoS. I don't know much about UPnP or Pidgin, but it might be reasonable to investigate what Pidgin does with the file once it's downloaded the contents. - Steve ====================================================== Name: CVE-2008-2955 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955 Reference: BUGTRAQ:20080626 Pidgin 2.4.1 Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/archive/1/493682/100/0/threaded Reference: FRSIRT:ADV-2008-1947 Reference: URL:http://www.frsirt.com/english/advisories/2008/1947 Reference: SECUNIA:30881 Reference: URL:http://secunia.com/advisories/30881 Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. ====================================================== Name: CVE-2008-2956 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2956 Reference: MISC:http://crisp.cs.du.edu/?q=ca2007-1 Reference: MLIST:[oss-security] 20080627 CVE Request (pidgin) Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/27/3 Memory leak in Pidgin 2.0.0, and possibly other versions, allows remote attackers to cause a denial of service (memory consumption) via malformed XML documents. ====================================================== Name: CVE-2008-2957 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957 Reference: MISC:http://crisp.cs.du.edu/?q=ca2007-1 Reference: MLIST:[oss-security] 20080627 CVE Request (pidgin) Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/27/3 The UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL.
Current thread:
- Re: CVE Request (pidgin) Steven M. Christey (Jul 01)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Robert Buchholz (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 03)
- Re: Re: CVE Request (pidgin) Vincent Danen (Jul 03)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 05)
- Re: Re: CVE Request (pidgin) Vincent Danen (Jul 08)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 05)
- <Possible follow-ups>
- CVE Request (pidgin) Josh Bressers (Aug 05)
- Re: CVE Request (pidgin) Steven M. Christey (Aug 07)