Bug#572946: qutecom: multiple vulnerabilities

Michael Gilbert michael.s.gilbert at gmail.com
Sun Mar 7 19:43:13 UTC 2010


Package: qutecom
Version: 2.2~rc3.hg396~dfsg1-5+b1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for pidgin.  Since qutecom embeds libpurple, it may also be
affected.  I have not checked this myself, so please do so, and close
the bug if you find the package to be not affected.

CVE-2010-0423[0]:
| gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a
| denial of service (CPU consumption and application hang) by sending
| many smileys in a (1) IM or (2) chat.

CVE-2010-0420[1]:
| libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user
| chat (MUC) room is used, does not properly parse nicknames containing
| <br> sequences, which allows remote attackers to cause a denial of
| service (application crash) via a crafted nickname.

CVE-2010-0277[2]:
| slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6,
| including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a
| denial of service (memory corruption and application crash) or
| possibly have unspecified other impact via a malformed MSNSLP INVITE
| request in an SLP message, a different issue than CVE-2010-0013.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423
    http://security-tracker.debian.org/tracker/CVE-2010-0423
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420
    http://security-tracker.debian.org/tracker/CVE-2010-0420
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277
    http://security-tracker.debian.org/tracker/CVE-2010-0277





More information about the Pkg-voip-maintainers mailing list