Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  NEWS  community  lists  Wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Thu, 03 Jul 2008 12:32:26 -0400
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com, Nico Golde <oss-security+ml@...lde.de>
Subject: Re: Re: CVE Request (pidgin)

On 3 July 2008, Nico Golde wrote:
> > Name: CVE-2008-2955

> >
> > Pidgin 2.4.1 allows remote attackers to cause a denial of service
> > (crash) via a long filename that contains certain characters, as
> > demonstrated using an MSN message that triggers the crash in the
> > msn_slplink_process_msg function.
> 
> Did anyone try if this can be done by some random user=20
> without authorization and if the victim needs to accept the=20
> file first to trigger this?
> 

My testing showed that random users can't send files, they need to be in
your buddy list.  I'm not sure if the victim needs to accept the file or
not.  Last I knew, upstream was still working on this one.

-- 
    JB

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ