[Pkg-telepathy-maintainers] Bug#702252: telepathy-gabble: CVE-2013-1769 remotely-triggerable DoS (crash) via weird data forms in caps
Simon McVittie
smcv at debian.org
Mon Mar 4 14:44:24 UTC 2013
Package: telepathy-gabble
Version: 0.9.15-1+squeeze1
Severity: important
Tags: fixed-upstream pending
telepathy-gabble is vulnerable to CVE-2013-1769, a remotely-triggerable DoS:
other XMPP users can cause Gabble to crash with a NULL pointer dereference
by sending malformed capabilities ("caps") data.
In squeeze, telepathy-gabble itself is believed to be vulnerable.
In wheezy, sid and experimental, the vulnerable code has moved into the
Wocky submodule (which is shipped as part of the telepathy-gabble tarball -
Wocky is not yet ABI-stable) so different patches are needed.
An upload to sid will follow soon.
Security team (in x-debbugs-cc), please let me know whether you want this
to be a DSA or a stable update? I would suggest a stable update since it's
only a DoS.
S
More information about the Pkg-telepathy-maintainers
mailing list