Date: Mon, 04 Mar 2013 12:37:22 +0000 From: Will Thompson <will.thompson@...labora.co.uk> To: Telepathy <telepathy@...ts.freedesktop.org>, oss-security@...ts.openwall.com Subject: CVE-2013-1769: remotely-triggered NULL pointer dereference in telepathy-gabble Hi, I've just released two new versions of telepathy-gabble which fix a family of remotely-triggered NULL pointer dereference bugs in telepathy-gabble: specifically, in its implementation of the hashing algorithm specified in <http://xmpp.org/extensions/xep-0115.html>. These bugs existed in essentially all previous versions of telepathy-gabble. A malicious user can trigger the bug for any of their contacts who use Gabble by publishing caps which trigger the bug, or for anyone whose JID they know. In the current stable release series, the bug is fixed in telepathy-gabble 0.16.5 (release announcement: <http://lists.freedesktop.org/archives/telepathy/2013-March/006377.html>). In the current unstable release series, the bug is fixed in telepathy-gabble 0.17.3 (release announcement: <http://lists.freedesktop.org/archives/telepathy/2013-March/006378.html>). Simon McVittie has prepared some patches which apply to the 0.12 series of telepathy-gabble. Interested parties can find them, and more information, on the bug report: <https://bugs.freedesktop.org/show_bug.cgi?id=61433>. That said, I recommend that distributors of 0.12 upgrade to the 0.16 stable series if possible. Thanks to Kurt Seifried of the Red Hat Security Response Team for allocating a CVE ID for this issue. -- Will
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.