oss-sec mailing list archives

Re: Re: CVE Request (pidgin)

From: Nico Golde <oss-security+ml () ngolde de>
Date: Thu, 3 Jul 2008 17:29:47 +0200

Hi Steven,
* Steven M. Christey <coley () linus mitre org> [2008-07-01 23:40]:

Name: CVE-2008-2955
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955
Reference: BUGTRAQ:20080626 Pidgin 2.4.1 Vulnerability
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/493682/100/0/threaded
Reference: FRSIRT:ADV-2008-1947
Reference: URL:http://www.frsirt.com/english/advisories/2008/1947
Reference: SECUNIA:30881
Reference: URL:http://secunia.com/advisories/30881

Pidgin 2.4.1 allows remote attackers to cause a denial of service
(crash) via a long filename that contains certain characters, as
demonstrated using an MSN message that triggers the crash in the
msn_slplink_process_msg function.


Did anyone try if this can be done by some random user 
without authorization and if the victim needs to accept the 
file first to trigger this?

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description:

Current thread:

Re: CVE Request (pidgin) Steven M. Christey (Jul 01)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 03)
  - Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
    - Re: Re: CVE Request (pidgin) Robert Buchholz (Jul 03)
    - Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Vincent Danen (Jul 03)
  - Re: Re: CVE Request (pidgin) Nico Golde (Jul 05)
    - Re: Re: CVE Request (pidgin) Vincent Danen (Jul 08)
- <Possible follow-ups>
- CVE Request (pidgin) Josh Bressers (Aug 05)
  - Re: CVE Request (pidgin) Steven M. Christey (Aug 07)