Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 425076 (CVE-2012-3374)

Summary: <net-im/pidgin-2.10.6: MXit buffer overflow (CVE-2012-3374)
Product: Gentoo Security Reporter: ChaosEngine <andrzej.pauli>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: mrueg, net-im
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.pidgin.im/news/security/index.php?id=64
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description ChaosEngine 2012-07-06 16:03:34 UTC 
After the source:

Incorrect handing of inline images in incoming instant messages can cause a buffer overflow and in some cases can be exploited to execute arbitrary code.

Reproducible: Didn't try
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2012-07-06 16:25:46 UTC 
+*pidgin-2.10.5 (06 Jul 2012)
+
+  06 Jul 2012; Lars Wendler <polynomial-c@gentoo.org> +pidgin-2.10.5.ebuild:
+  Security bump (bug #425076).
+
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2012-07-07 00:04:13 UTC 
2.10.6 fixes a bug which was introduced with 2.10.5
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2012-07-09 14:01:42 UTC 
+*pidgin-2.10.6 (09 Jul 2012)
+
+  09 Jul 2012; Lars Wendler <polynomial-c@gentoo.org> -pidgin-2.10.5.ebuild,
+  +pidgin-2.10.6.ebuild:
+  non-maintainer commit: Version bump. Removed "old".
+
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-11 23:31:43 UTC 
Thanks for the report, Andrzej.

@net-im, may we proceed to stabilize =net-im/pidgin-2.10.6 ?
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 00:54:21 UTC 
CVE-2012-3374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3374):
  Buffer overflow in markup.c in the MXit protocol plugin in libpurple in
  Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a
  crafted inline image in a message.
Comment 6 ChaosEngine 2012-07-30 12:30:49 UTC 
Will it be stabilized anytime soon?
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2012-08-09 00:11:57 UTC 
go stable!
Comment 8 Andreas Schürch gentoo-dev 2012-08-09 16:06:23 UTC 
x86 stable, thanks.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-08-09 18:24:34 UTC 
ppc done
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-10 13:45:50 UTC 
Stable for HPPA.
Comment 11 Agostino Sarubbo gentoo-dev 2012-08-10 17:19:03 UTC 
amd64 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2012-08-19 14:20:30 UTC 
alpha/ia64/sparc stable
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-20 12:59:57 UTC 
ppc64 stable, last arch done
Comment 14 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-20 13:28:42 UTC 
Thanks, everyone.

Filing a new GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-09-27 12:14:47 UTC 
This issue was resolved and addressed in
 GLSA 201209-17 at http://security.gentoo.org/glsa/glsa-201209-17.xml
by GLSA coordinator Sean Amoss (ackle).