Pidgin has released version 2.10.2 to fix two vulnerabilities: <-- http://pidgin.im/news/security/?id=60 Title XMPP remote crash Date 2011-07-08 CVE Name N/A Discovered By Clemens Huebner in ticket #14392 and Kevin Stange Description Certain types of nickname changes in XMPP chat rooms can trigger a NULL pointer dereference in Pidgin, which triggers a crash. Fixed in Revision d1d77da56217f3a083e1d459bef054db9f1d5699 Fixed in Version 2.10.2 Fix Check for NULL before trying to use a struct. http://pidgin.im/news/security/?id=61 Title Possible MSN remote crash Date 2012-01-17 CVE Name N/A Discovered By Thijs Alkemade in ticket #14884 Description In some situations the MSN server sends text that isn't UTF-8 encoded, and Pidgin fails to verify the text's encoding. In some cases this can lead to a crash when attempting to display the text. Fixed in Revision 3053d6a37cc6d8774aba7607b992a4408216adcd ecabfaee8a1ca02e18ebadbb41cdcce19e78bc2e b1b8c222ab921963f43e83502b6c6e2e4489a8c4 fdb56683f2b5f88f7b388aaef6c53c810d19e374 f12c9f6a6c31bcd3512f162209285a88a86595ff Fixed in Version 2.10.2 Fix Verify that incoming text is UTF-8, and sanitize if it's not.
*** Bug 408453 has been marked as a duplicate of this bug. ***
*** Bug 409175 has been marked as a duplicate of this bug. ***
CVE-2012-1178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1178): The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding. CVE-2011-4939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4939): The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room.
pidgin-2.10.3 was released today.
Created attachment 306721 [details, diff] diff from in tree 2.10.1 to 2.10.3
+*pidgin-2.10.3 (30 Mar 2012) + + 30 Mar 2012; Lars Wendler <polynomial-c@gentoo.org> -pidgin-2.10.0-r1.ebuild, + -pidgin-2.10.0-r2.ebuild, +pidgin-2.10.3.ebuild: + non-maintainer commit: Security bump wrt. bug #408177. Removed old versions. + Please give 2.10.3 a thorought testing. I only tested it with the following combination of USE-flags: USE="dbus -debug -doc -eds -gadu gnutls -groupwise -gstreamer gtk idn -meanwhile -ncurses -networkmanager nls -perl -prediction -python -sasl silc spell -tcl -tk xscreensaver -zephyr zeroconf"
Arches, please *test* and mark stable: =net-im/pidgin-2.10.3 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
amd64 ok
Stable for HPPA.
x86 stable
amd64 stable
alpha/ia64/sparc stable
ppc done
ppc64 done
Thanks, everyone. GLSA vote: no.
GLSA vote: no.