Severity |
|
Remote |
|
Type |
|
Description |
+ |
Receiving a file transfer request from a contact not in the contact list results in a null pointer dereference, leading to remote DoS by malicious remote clients. Additionally, due to an incomplete fix of the issue above in BitlBee 3.5, the bitlbee-libpurple variant is still affected in 3.5. |
|
References |
+ |
http://marc.info/?l=oss-security&m=148580159532168&w=2 |
+ |
https://bugs.bitlbee.org/ticket/1282 |
|
Notes |
+ |
This results in denial of service (remote crash of the BitlBee |
+ |
instance). Remote code execution does not seem to be possible (fixed |
+ |
offset) |
+ |
|
+ |
For BitlBee servers configured in ForkDaemon mode (default) or inetd |
+ |
mode, the crash is limited to one user connection, who may just |
+ |
reconnect. |
|