Bug#559784: qutecom: CVE-2008-4776 denial-of-service

Ludovico Cavedon cavedon at debian.org
Sun Dec 13 01:02:47 UTC 2009


Michael Gilbert wrote:
> On Sat, 12 Dec 2009 16:05:55 -0800 Ludovico Cavedon wrote:
>> Michael Gilbert wrote:
>>> the following CVE (Common Vulnerabilities & Exposures) id was published
>>> for libgadu.  Centerim embeds libpurple, which embeds libgadu, so it is
>>> affected.
>> I am sure what stated above is correct. According to my investigation:
>> -libpurble does not embded libgadu directly, but has its own
>> implementation of the gadugadu protocol
>> -centerim embeds libgadu directly
>>
>> Therefore this CVE does not apply to qutecom.
> 
> based on [0], qutecom embeds the exact same code as libpurple,
> so it is indeed affected.
> 
> [0] http://source.debian.net/source/search?q=&defs=&refs=&path=libgadu.c&hist=

Yes, you are right, I missed the "lib" directory in "gg".

However I realized that the version of libpurple internally compiled by
qutecom is not including gadugadu support, but only jabber, msn, yahoo
and oscar [1].

Thanks,
Ludovico

[1]
http://source.debian.net/source/xref/main/q/qutecom/libs/3rdparty/libpurple/CMakeLists-unix.txt



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20091212/bb28b2f2/attachment.pgp>


More information about the Pkg-voip-maintainers mailing list