[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE assignment notification -- CVE-2009-1889 Pidgin: DoS (OOM,
From:       Jan Lieskovsky <jlieskov () redhat ! com>
Date:       2009-06-30 11:12:00
Message-ID: 1246360320.3392.20.camel () dhcp-lab164 ! englab ! brq ! redhat ! com
[Download RAW message or body]

Hello Steve, vendors,

  CVE-2009-1889 has been assigned to the following Pidgin DoS issue:

Pidgin background:
------------------

Pidgin is an instant messaging program which can log in to multiple
accounts on multiple instant messaging networks simultaneously.
Open System for CommunicAtion in Realtime (OSCAR) is AOL's flagship
instant messaging and presence information protocol, used for AOL's two
main instant messaging systems: ICQ and AIM.

Flaw description:
-----------------
An out-of-memory denial of service flaw was found in the Pidgin's 
OSCAR protocol implementation. If a remote ICQ user sent a web
message to the local Pidgin user using this protocol, it would lead to
excessive memory allocation and denial of service (Pidgin crash). 

Affected Pidgin versions: 2.4.0 <= Pidgin <= 2.5.7
------------------------  (It's possible, the AIM IM system OSCAR protocol
                           implementation in Pidgin-1.5.* is also affected,
                           but according to Yuriy: "AFAIK, older pidgin/gaim
                           won't work current icq servers.")

References:
-----------
  http://developer.pidgin.im/ticket/9483 (Pidgin ticket)
  http://pidgin.im/pipermail/devel/2009-May/008227.html (original Yuriy's post) 
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1889 (Red Hat Bugzilla entry)
  http://developer.pidgin.im/wiki/ChangeLog (Pidgin-2.5.8 Changelog)

Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

  

[prev in list] [next in list] [prev in thread] [next in thread]