353953 – <net-im/pidgin-2.7.10: Cipher API information disclosure (CVE-2011-4922)

Bug 353953 - <net-im/pidgin-2.7.10: Cipher API information disclosure (CVE-2011-4922)

Summary: <net-im/pidgin-2.7.10: Cipher API information disclosure (CVE-2011-4922)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://www.pidgin.im/news/security/?i...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2011-02-07 12:10 UTC by tman
Modified:	2012-08-09 12:28 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description tman 2011-02-07 12:10:29 UTC

some important fixes are release on today

http://developer.pidgin.im/wiki/ChangeLog

Reproducible: Always

Steps to Reproduce:

Comment 1 Peter Volkov (RETIRED) gentoo-dev

2011-02-08 13:59:01 UTC

There is no release yet. Please, reopen as soon as something appears on upstream website.

Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-02-11 08:26:16 UTC

Reassigning to security, this will probably be a 2-step process.

Comment 3 Peter Volkov (RETIRED) gentoo-dev

2011-02-12 01:38:55 UTC

New version was just added to the tree. Arch teams, please, stabilize.

Comment 4 ScytheMan 2011-02-12 02:53:02 UTC

 * Failed Patch: pidgin-2.7.3-ldflags.patch !
 *  ( /usr/portage/net-im/pidgin/files/pidgin-2.7.3-ldflags.patch )

 I suppose this was fixed upstream?

Excerpt from ChangeLog: 
* Perl bindings now respect LDFLAGS. (Peter Volkov, Markos Chandras) (#12638)

Comment 5 Agostino Sarubbo gentoo-dev

2011-02-12 10:03:00 UTC

(In reply to comment #4)
>  * Failed Patch: pidgin-2.7.3-ldflags.patch !
>  *  ( /usr/portage/net-im/pidgin/files/pidgin-2.7.3-ldflags.patch )
> 
>  I suppose this was fixed upstream?
> 
> Excerpt from ChangeLog: 
> * Perl bindings now respect LDFLAGS. (Peter Volkov, Markos Chandras) (#12638)
> 
I comment this patch and it works
ok for me on amd64

Comment 6 Christian Faulhammer (RETIRED) gentoo-dev

2011-02-12 16:45:38 UTC

x86 stable

Comment 7 Raúl Porcel (RETIRED) gentoo-dev

2011-02-12 17:44:58 UTC

alpha/ia64/sparc stable

Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-02-12 18:20:22 UTC

ppc/ppc64 stable

Comment 9 Markos Chandras (RETIRED) gentoo-dev

2011-02-12 19:57:05 UTC

amd64 done. Thanks Agostino

Comment 10 Jeroen Roovers (RETIRED) gentoo-dev

2011-02-14 20:42:31 UTC

Stable for HPPA.

Comment 11 Tim Sammut (RETIRED) gentoo-dev

2011-02-17 17:27:18 UTC

Thanks, everyone.

GLSA Vote: no.

Comment 12 Stefan Behte (RETIRED) gentoo-dev

2011-02-23 22:20:08 UTC

Vote: no, closing noglsa.

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2012-08-09 12:28:40 UTC

CVE-2011-4922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4922):
  cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains
  encryption-key data in process memory, which might allow local users to
  obtain sensitive information by reading a core file or other representation
  of memory contents.