oss-sec mailing list archives
Re: Re: CVE Request (pidgin)
From: Nico Golde <oss-security+ml () ngolde de>
Date: Sat, 5 Jul 2008 13:56:00 +0200
Hi Vincent, * Vincent Danen <vdanen () linsec ca> [2008-07-03 21:42]:
* [2008-07-01 17:25:40 -0400] Steven M. Christey wrote:Name: CVE-2008-2957 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957 Reference: MISC:http://crisp.cs.du.edu/?q=ca2007-1 Reference: MLIST:[oss-security] 20080627 CVE Request (pidgin) Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/27/3 The UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL.There are patches with the original advisory for these two. Has anyone had a chance to look at them to make sure they're ok? I don't see any references to any of these issues on the pidgin website and no vendors have issued pidgin updates for these that I can see, so I'm wondering if anyone has looked at these patches (be it vendors or upstream) to determine whether or not they're sufficient and/or suitable to apply to a security update.
I just had a look at http://crisp.cs.du.edu/crisp-files/pidgin-2.0.0-upnp-limit-download.diff to fix CVE-2008-2957. I think the patch itself is fine however I am not sure if this is the right way to fix the issue cause I basically just workarounds the problem by limiting the downloads triggered by UPnP (128k) without giving any way to reconfigure this value or to switch it off completely. This may be the reason why there isn't yet an official patch by the pidgin people. If you want to go with that simple workaround the patch is just fine. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- Re: CVE Request (pidgin) Steven M. Christey (Jul 01)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Robert Buchholz (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Josh Bressers (Jul 03)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 03)
- Re: Re: CVE Request (pidgin) Vincent Danen (Jul 03)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 05)
- Re: Re: CVE Request (pidgin) Vincent Danen (Jul 08)
- Re: Re: CVE Request (pidgin) Nico Golde (Jul 05)
- <Possible follow-ups>
- CVE Request (pidgin) Josh Bressers (Aug 05)
- Re: CVE Request (pidgin) Steven M. Christey (Aug 07)