oss-sec mailing list archives
Re: Re: CVE Request (pidgin)
From: Josh Bressers <bressers () redhat com>
Date: Thu, 03 Jul 2008 12:32:26 -0400
On 3 July 2008, Nico Golde wrote:
Name: CVE-2008-2955
Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.Did anyone try if this can be done by some random user=20 without authorization and if the victim needs to accept the=20 file first to trigger this?
My testing showed that random users can't send files, they need to be in
your buddy list. I'm not sure if the victim needs to accept the file or
not. Last I knew, upstream was still working on this one.
--
JB
Current thread:
- Re: CVE Request (pidgin) Steven M. Christey (Jul 01)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Robert Buchholz (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 03)
- Re: Re: CVE Request (pidgin) Vincent Danen (Jul 03)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 05)
- Re: Re: CVE Request (pidgin) Vincent Danen (Jul 08)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 05)
- <Possible follow-ups>
- CVE Request (pidgin) Josh Bressers (Aug 05)
- Re: CVE Request (pidgin) Steven M. Christey (Aug 07)