Receiving a file transfer request from a contact not in the contact list results in a null pointer dereference, leading to remote DoS by malicious remote clients. Additionally, due to an incomplete fix of the issue above in BitlBee 3.5, the bitlbee-libpurple variant is still affected in 3.5.
Receiving a file transfer request from a contact not in the contact list results in a null pointer dereference, leading to remote DoS by malicious remote clients. Additionally, due to an incomplete fix of the issue above in BitlBee 3.5, the bitlbee-libpurple variant is still affected in 3.5.
http://marc.info/?l=oss-security&m=148580159532168&w=2 https://bugs.bitlbee.org/ticket/1282
This results in denial of service (remote crash of the BitlBee instance). Remote code execution does not seem to be possible (fixed offset) For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect.