hugo/content/about/security/advisories/cve-2009-2694-00.md

Fri, 30 Aug 2024 19:33:36 -0500

author
Gary Kramlich <grim@reaperworld.com>
date
Fri, 30 Aug 2024 19:33:36 -0500
changeset 543
4ab2b8637540
parent 402
91f916eba5fd
permissions
-rw-r--r--

Update the plugins page for the new process

This includes defining the process and providing a template for a new issue to
add new plugins. I did go through and audit `No IRC /WHO` so we had at least
one validated entry.

Testing Done:
Ran `npm run hugo:server` locally and verified the page worked and checked the new links.

Bugs closed: NEST-53

Reviewed at https://reviews.imfreedom.org/r/3450/

---
title: cve-2009-2694-00
date: 2009-08-18T00:00:00.000Z
cveNumber: cve-2009-2694
summary: MSN overflow parsing SLP messages
discoveredBy: Core Security Technologies
fixedInRelease: 2.5.9
type: security
layout: cve
hidden: true
---

### Description

By sending two consecutive specially crafted SLP messages it is possible to
trigger an memcpy to an invalid location in memory. This affects all versions of
libpurple and Gaim released in the past few years.

### Mitigation

Correctly destroy outgoing SLP ACK messages after they are sent, and ensure a
buffer has been allocated within the SLP data structure before attempting to
write to it.

mercurial