Date: Thu, 3 Jul 2008 13:21:15 -0600
From: Vincent Danen <vdanen@...sec.ca>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request (pidgin)

* [2008-07-01 17:25:40 -0400] Steven M. Christey wrote:

>======================================================
>Name: CVE-2008-2956
>Status: Candidate
>URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2956
>Reference: MISC:http://crisp.cs.du.edu/?q=ca2007-1
>Reference: MLIST:[oss-security] 20080627 CVE Request (pidgin)
>Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/27/3
>
>Memory leak in Pidgin 2.0.0, and possibly other versions, allows
>remote attackers to cause a denial of service (memory consumption) via
>malformed XML documents.
>
>
>======================================================
>Name: CVE-2008-2957
>Status: Candidate
>URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957
>Reference: MISC:http://crisp.cs.du.edu/?q=ca2007-1
>Reference: MLIST:[oss-security] 20080627 CVE Request (pidgin)
>Reference: URL:http://www.openwall.com/lists/oss-security/2008/06/27/3
>
>The UPnP functionality in Pidgin 2.0.0, and possibly other versions,
>allows remote attackers to trigger the download of arbitrary files and
>cause a denial of service (memory or disk consumption) via a UDP
>packet that specifies an arbitrary URL.

There are patches with the original advisory for these two.  Has anyone
had a chance to look at them to make sure they're ok?  I don't see any
references to any of these issues on the pidgin website and no vendors
have issued pidgin updates for these that I can see, so I'm wondering if
anyone has looked at these patches (be it vendors or upstream) to
determine whether or not they're sufficient and/or suitable to apply to
a security update.

-- 
Vincent Danen @ http://linsec.ca/

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux