Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 353953

Summary: <net-im/pidgin-2.7.10: Cipher API information disclosure (CVE-2011-4922)
Product: Gentoo Security Reporter: tman <cornicx>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: net-im
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.pidgin.im/news/security/?id=50
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description tman 2011-02-07 12:10:29 UTC 
some important fixes are release on today

http://developer.pidgin.im/wiki/ChangeLog

Reproducible: Always

Steps to Reproduce:
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2011-02-08 13:59:01 UTC 
There is no release yet. Please, reopen as soon as something appears on upstream website.
Comment 2 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-02-11 08:26:16 UTC 
Reassigning to security, this will probably be a 2-step process.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-02-12 01:38:55 UTC 
New version was just added to the tree. Arch teams, please, stabilize.
Comment 4 ScytheMan 2011-02-12 02:53:02 UTC 
 * Failed Patch: pidgin-2.7.3-ldflags.patch !
 *  ( /usr/portage/net-im/pidgin/files/pidgin-2.7.3-ldflags.patch )

 I suppose this was fixed upstream?

Excerpt from ChangeLog: 
* Perl bindings now respect LDFLAGS. (Peter Volkov, Markos Chandras) (#12638)
Comment 5 Agostino Sarubbo gentoo-dev 2011-02-12 10:03:00 UTC 
(In reply to comment #4)
>  * Failed Patch: pidgin-2.7.3-ldflags.patch !
>  *  ( /usr/portage/net-im/pidgin/files/pidgin-2.7.3-ldflags.patch )
> 
>  I suppose this was fixed upstream?
> 
> Excerpt from ChangeLog: 
> * Perl bindings now respect LDFLAGS. (Peter Volkov, Markos Chandras) (#12638)
> 
I comment this patch and it works
ok for me on amd64
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2011-02-12 16:45:38 UTC 
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2011-02-12 17:44:58 UTC 
alpha/ia64/sparc stable
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-02-12 18:20:22 UTC 
ppc/ppc64 stable
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-02-12 19:57:05 UTC 
amd64 done. Thanks Agostino
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2011-02-14 20:42:31 UTC 
Stable for HPPA.
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-02-17 17:27:18 UTC 
Thanks, everyone.

GLSA Vote: no.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2011-02-23 22:20:08 UTC 
Vote: no, closing noglsa.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-08-09 12:28:40 UTC 
CVE-2011-4922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4922):
  cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains
  encryption-key data in process memory, which might allow local users to
  obtain sensitive information by reading a core file or other representation
  of memory contents.