Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 408177 (CVE-2011-4939) - <net-im/pidgin-2.10.3: Multiple Vulnerabilities (CVE-2011-4939,CVE-2012-1178)
Summary: <net-im/pidgin-2.10.3: Multiple Vulnerabilities (CVE-2011-4939,CVE-2012-1178)
Status: RESOLVED FIXED
Alias: CVE-2011-4939
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 1 vote (vote)
Assignee: Gentoo Security
URL: http://pidgin.im/news/security/?id=60
Whiteboard: B3 [noglsa]
Keywords:
: 408453 409175 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-03-14 16:21 UTC by Tim Sammut (RETIRED)
Modified: 2012-05-07 22:29 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
diff from in tree 2.10.1 to 2.10.3 (ebuild.patch,320 bytes, patch)
2012-03-26 13:07 UTC, ScytheMan 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2012-03-14 16:21:37 UTC 
Pidgin has released version 2.10.2 to fix two vulnerabilities:

<--

http://pidgin.im/news/security/?id=60
Title	XMPP remote crash
Date	2011-07-08
CVE Name	N/A
Discovered By	Clemens Huebner in ticket #14392 and Kevin Stange
Description	Certain types of nickname changes in XMPP chat rooms can trigger a NULL pointer dereference in Pidgin, which triggers a crash.
Fixed in Revision	d1d77da56217f3a083e1d459bef054db9f1d5699
Fixed in Version	2.10.2
Fix	Check for NULL before trying to use a struct.

http://pidgin.im/news/security/?id=61
Title	Possible MSN remote crash
Date	2012-01-17
CVE Name	N/A
Discovered By	Thijs Alkemade in ticket #14884
Description	In some situations the MSN server sends text that isn't UTF-8 encoded, and Pidgin fails to verify the text's encoding. In some cases this can lead to a crash when attempting to display the text.
Fixed in Revision	3053d6a37cc6d8774aba7607b992a4408216adcd
ecabfaee8a1ca02e18ebadbb41cdcce19e78bc2e
b1b8c222ab921963f43e83502b6c6e2e4489a8c4
fdb56683f2b5f88f7b388aaef6c53c810d19e374
f12c9f6a6c31bcd3512f162209285a88a86595ff
Fixed in Version	2.10.2
Fix	Verify that incoming text is UTF-8, and sanitize if it's not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2012-03-16 09:37:39 UTC 
*** Bug 408453 has been marked as a duplicate of this bug. ***
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2012-03-21 14:10:41 UTC 
*** Bug 409175 has been marked as a duplicate of this bug. ***
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-03-22 17:37:19 UTC 
CVE-2012-1178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1178):
  The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in
  libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of
  service (application crash) via an OIM message that lacks UTF-8 encoding.

CVE-2011-4939 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4939):
  The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before
  2.10.2 allows remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) by changing a nickname while in an XMPP
  chat room.
Comment 4 ScytheMan 2012-03-26 13:02:33 UTC 
pidgin-2.10.3 was released today.
Comment 5 ScytheMan 2012-03-26 13:07:28 UTC 
Created attachment 306721 [details, diff]
diff from in tree 2.10.1 to 2.10.3
Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2012-03-30 17:11:52 UTC 
+*pidgin-2.10.3 (30 Mar 2012)
+
+  30 Mar 2012; Lars Wendler <polynomial-c@gentoo.org> -pidgin-2.10.0-r1.ebuild,
+  -pidgin-2.10.0-r2.ebuild, +pidgin-2.10.3.ebuild:
+  non-maintainer commit: Security bump wrt. bug #408177. Removed old versions.
+
Please give 2.10.3 a thorought testing. I only tested it with the following combination of USE-flags:

USE="dbus -debug -doc -eds -gadu gnutls -groupwise -gstreamer gtk idn -meanwhile -ncurses -networkmanager nls -perl -prediction -python -sasl silc spell -tcl -tk xscreensaver -zephyr zeroconf"
Comment 7 Tim Sammut (RETIRED) gentoo-dev 2012-03-30 17:27:17 UTC 
Arches, please *test* and mark stable:
=net-im/pidgin-2.10.3
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 8 Maurizio Camisaschi (amd64 AT) 2012-03-31 18:04:20 UTC 
amd64 ok
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-02 03:10:21 UTC 
Stable for HPPA.
Comment 10 Thomas Kahle (RETIRED) gentoo-dev 2012-04-03 08:32:24 UTC 
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2012-04-03 21:55:58 UTC 
amd64 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2012-04-08 14:55:13 UTC 
alpha/ia64/sparc stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2012-04-15 16:01:49 UTC 
ppc done
Comment 14 Mark Loeser (RETIRED) gentoo-dev 2012-05-06 18:57:07 UTC 
ppc64 done
Comment 15 Tim Sammut (RETIRED) gentoo-dev 2012-05-07 02:56:12 UTC 
Thanks, everyone. GLSA vote: no.
Comment 16 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-07 22:29:35 UTC 
GLSA vote: no.