Summary: | <net-im/pidgin-2.9.0: remote denial-of-service bug related to displaying buddy icons (CVE-2011-2485) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | tman <cornicx> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | net-im, reavertm |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://pidgin.im/news/security/?id=52 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
tman
2011-06-24 09:12:00 UTC
Fixed: * Fix a potential remote denial-of-service bug related to displaying buddy icons. (In reply to comment #0) > new version released. please bump > Thank you for the report, tman. New version is in the tree. Arch teams, please, test and stabilize. TIA. It requires: =net-libs/libgadu-1.11.0, advise from maintainer? I'm not a pidgin guru, but when I open: (18:49:22) pounce: Error reading pounces: Failed to open file '/home/ago/.purple/pounces.xml': No such file or directory (18:49:22) gtkutils: gdk_pixbuf_new_from_file() returned nothing for file /usr/share/icons/hicolor/scalable/apps/pidgin.svg: Couldn't recognize the image file format for file '/usr/share/icons/hicolor/scalable/apps/pidgin.svg' Are they expected? And from build log: /bin/sh ../../../libtool --silent --tag=CC --mode=compile x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../../.. -I../../.. -I../../../libpurple -I../../../libpurple -DLIBDIR=\"/usr/lib64/purple-2\" -Wall -DPURPLE_DISABLE_DEPRECATED -DPIDGIN_DISABLE_DEPRECATED -DFINCH_DISABLE_DEPRECATED -DGNT_DISABLE_DEPRECATED -Waggregate-return -Wcast-align -Wdeclaration-after-statement -Wendif-labels -Werror-implicit-function-declaration -Wextra -Wno-sign-compare -Wno-unused-parameter -Wformat-security -Werror=format-security -Winit-self -Wmissing-declarations -Wmissing-noreturn -Wmissing-prototypes -Wpointer-arith -Wundef -Wp,-D_FORTIFY_SOURCE=2 -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/lib64/perl5/5.12.3/x86_64-linux-thread-multi/CORE -g -march=native -O2 -g0 -MT perl-handlers.lo -MD -MP -MF .deps/perl-handlers.Tpo -c -o perl-handlers.lo perl-handlers.c Can you drop -pipe and -g? TY amd64: net-libs/libgadu-1.11.0 suffers from a test failure atm. Otherwise emerged and seem to work I tested libgadu and pidgin on x86. All good here. Stable for HPPA. x86 stable. Thanks Andreas amd64 stable alpha/ia64/sparc stable ppc64 done ppc stable, last arch done Thanks, folks. GLSA Vote: no. Vote: YES. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201206-11 at http://security.gentoo.org/glsa/glsa-201206-11.xml by GLSA coordinator Stefan Behte (craig). |