Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 358403 - <net-im/pidgin-2.7.11: NULL pointer dereferences, leading to denial of service (CVE-2010-3711,CVE-2011-1091)
Summary: <net-im/pidgin-2.7.11: NULL pointer dereferences, leading to denial of servic...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://developer.pidgin.im/viewmtn/r...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-11 14:34 UTC by tman
Modified: 2011-10-08 21:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Remove startup-notification dep (pidgin-2.7.11.ebuild.patch,980 bytes, patch)
2011-03-11 19:02 UTC, Mr. B 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description tman 2011-03-11 14:34:03 UTC 
http://developer.pidgin.im/wiki/ChangeLog 

new release

Reproducible: Always
Comment 1 Mr. B 2011-03-11 19:02:36 UTC 
Created attachment 265585 [details, diff]
Remove startup-notification dep

Pidgin uses gtk+ startup notification now: https://developer.pidgin.im/viewmtn/revision/info/dcc3c3a8e9e0b20c1df07ac43e93d6c3c1030c17
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2011-03-12 15:56:47 UTC 
Thank you tman. New version is in the tree. Arch teams, please, stabilize.
Comment 3 Agostino Sarubbo gentoo-dev 2011-03-12 17:00:11 UTC 
amd64 ok
Comment 4 Alex Buell 2011-03-12 22:21:30 UTC 
Tested on SPARC, works nicely with IRC. Could stabilise.
Comment 5 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-03-13 12:14:48 UTC 
ppc/ppc64 stable
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2011-03-13 14:31:42 UTC 
x86 stable
Comment 7 Markos Chandras (RETIRED) gentoo-dev 2011-03-13 15:44:40 UTC 
amd64 done. Thanks Agostino
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2011-03-13 18:53:33 UTC 
Stable on alpha.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-03-15 15:45:58 UTC 
Stable for HPPA.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2011-03-18 17:31:02 UTC 
ia64/sparc stable
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-03-19 22:40:27 UTC 
Thanks, folks. GLSA Vote: no.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 20:04:11 UTC 
CVE-2011-1091 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1091):
  libymsg.c in the Yahoo! protocol plugin in libpurple in Pidgin 2.6.0 through
  2.7.10 allows (1) remote authenticated users to cause a denial of service
  (NULL pointer dereference and application crash) via a malformed YMSG
  notification packet, and allows (2) remote Yahoo! servers to cause a denial
  of service (NULL pointer dereference and application crash) via a malformed
  YMSG SMS message.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 13:25:55 UTC 
CVE-2010-3711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3711):
  libpurple in Pidgin before 2.7.4 does not properly validate the return value
  of the purple_base64_decode function, which allows remote authenticated
  users to cause a denial of service (NULL pointer dereference and application
  crash) via a crafted message, related to the plugins for MSN, MySpaceIM,
  XMPP, and Yahoo! and the NTLM authentication support.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2011-10-08 21:44:32 UTC 
voting no too, and closing.