[Pkg-telepathy-maintainers] Bug#702252: telepathy-gabble: CVE-2013-1769 remotely-triggerable DoS (crash) via weird data forms in caps

Simon McVittie smcv at debian.org
Mon Mar 4 14:44:24 UTC 2013

Package: telepathy-gabble
Version: 0.9.15-1+squeeze1
Severity: important
Tags: fixed-upstream pending

telepathy-gabble is vulnerable to CVE-2013-1769, a remotely-triggerable DoS:
other XMPP users can cause Gabble to crash with a NULL pointer dereference
by sending malformed capabilities ("caps") data.

In squeeze, telepathy-gabble itself is believed to be vulnerable.

In wheezy, sid and experimental, the vulnerable code has moved into the
Wocky submodule (which is shipped as part of the telepathy-gabble tarball -
Wocky is not yet ABI-stable) so different patches are needed.

An upload to sid will follow soon.

Security team (in x-debbugs-cc), please let me know whether you want this
to be a DSA or a stable update? I would suggest a stable update since it's
only a DoS.


More information about the Pkg-telepathy-maintainers mailing list