Summary: | <net-im/pidgin-2.10.7: Multiple Vulnerabilities (CVE-2013-{0271,0272,0273,0274}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | mrueg, net-im, yac |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/52178/ | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-02-14 18:57:55 UTC
*** Bug 458304 has been marked as a duplicate of this bug. *** Renaming the ebuild works well for me. I've added a patch that is already included in upstream's vcs to prevent a crash caused by a plugin. https://git.overlays.gentoo.org/gitweb/?p=user/mrueg.git;a=tree;f=net-im/pidgin;hb=HEAD CVE-2013-0274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0274): upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network. CVE-2013-0273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0273): sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet. CVE-2013-0272 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0272): Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header. CVE-2013-0271 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0271): The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname. +*pidgin-2.10.7 (11 Mar 2013) + + 11 Mar 2013; Lars Wendler <polynomial-c@gentoo.org> +pidgin-2.10.7.ebuild, + +files/pidgin-2.10.7-fix-cap.patch: + Non-maintainer commit: Security bump (bug #457580). Thanks to Manuel Rüger + for making us aware of a needed patch. + Arches, please test and mark stable: =net-im/pidgin-2.10.7 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" You missed Manuel latest addition to the ebuild: epatch_user amd64 stable x86 stable Stable for HPPA. ppc stable ppc64 stable alpha stable ia64 stable sparc stable New GLSA request filed. For the record. I've revbumped pidgin due to bug #461530 and comitted that revision straight to stable. So if you push out the GLSA you might want to reference to net-im/pidgin-2.10.7-r1 This issue was resolved and addressed in GLSA 201405-22 at http://security.gentoo.org/glsa/glsa-201405-22.xml by GLSA coordinator Sean Amoss (ackle). |