415393 – (CVE-2012-2214) <net-im/pidgin-2.10.4 : Denial of Service vulnerabilities with MSN or XMPP (CVE-2012-{2214,2318})

Bug 415393 (CVE-2012-2214) - <net-im/pidgin-2.10.4 : Denial of Service vulnerabilities with MSN or XMPP (CVE-2012-{2214,2318})

Summary: <net-im/pidgin-2.10.4 : Denial of Service vulnerabilities with MSN or XMPP (C...

Status:	RESOLVED FIXED

Alias:	CVE-2012-2214

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://pidgin.im/pipermail/devel/2012...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2012-05-10 15:49 UTC by Manuel Rüger (RETIRED)
Modified:	2012-06-11 20:01 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manuel Rüger (RETIRED) gentoo-dev

2012-05-10 15:49:22 UTC

fixes two vulnerabilities

announcement:
http://pidgin.im/pipermail/devel/2012-May/010756.html

Comment 1 Agostino Sarubbo gentoo-dev

2012-05-10 17:56:06 UTC

Manuel, thanks for reporting this.

secunia advisory: https://secunia.com/advisories/49036/

Comment 2 Julian Ospald 2012-05-28 18:11:03 UTC

+*pidgin-2.10.4 (28 May 2012)
+
+  28 May 2012; Julian Ospald <hasufell@gentoo.org>
+  -files/port-to-farstream-v5.patch, -pidgin-2.10.3-r100.ebuild,
+  +pidgin-2.10.4.ebuild:
+  version bump with Chainsaw wrt security bug #415393, rm deprecated -r100

Is that severe enough to remove the previous versions?

Comment 3 Alex Legler (RETIRED) archtester

2012-05-28 19:16:04 UTC

(In reply to comment #2)
> Is that severe enough to remove the previous versions?

All packages with issues should be removed. First, we'd need to stabilize the fixed version though. Do you have any reason not to call arches here?

Comment 4 Julian Ospald 2012-05-28 20:33:15 UTC

fixed in 2.10.4
http://www.pidgin.im/news/security/?id=62
http://www.pidgin.im/news/security/?id=63

Arch teams, please test and mark stable:
=net-im/pidgin-2.10.4
Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86"

Comment 5 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-05-28 22:31:12 UTC

amd64: pass

Note: repoman complains.

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2012-05-29 01:12:32 UTC

Stable for HPPA.

Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev

2012-05-29 02:56:46 UTC

x86 stable

Comment 8 Agostino Sarubbo gentoo-dev

2012-05-29 12:07:34 UTC

amd64 stable

Comment 9 Raúl Porcel (RETIRED) gentoo-dev

2012-06-03 16:26:14 UTC

alpha/ia64/sparc stable

Comment 10 Brent Baude (RETIRED) gentoo-dev

2012-06-06 14:11:09 UTC

ppc64 done

Comment 11 Brent Baude (RETIRED) gentoo-dev

2012-06-08 18:01:21 UTC

ppc done

Comment 12 Julian Ospald 2012-06-08 18:24:16 UTC

old versions dropped

+  08 Jun 2012; Julian Ospald <hasufell@gentoo.org>
+  -files/pidgin-2.10.0-networkmanager-0.9.patch,
+  -files/pidgin-2.10.0-utf8-validation.patch, -pidgin-2.10.1.ebuild,
+  -pidgin-2.10.3.ebuild:
+  drop vulnerable versions wrt bug #415393, remove obsolete patches

Comment 13 Tim Sammut (RETIRED) gentoo-dev

2012-06-10 15:31:51 UTC

Thanks, folks. GLSA Vote: no.

Comment 14 Sean Amoss (RETIRED) gentoo-dev

2012-06-11 20:01:39 UTC

GLSA vote: no, client-side DoS.

Closing noglsa.