Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 612188 (CVE-2017-2640)

Summary: <net-im/pidgin-2.12.0: Out-of-bounds write in purple_markup_unescape_entity triggered by invalid XML
Product: Gentoo Security Reporter: Thomas Deutschmann (RETIRED) <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: polynomial-c
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://pidgin.im/news/security/?id=109
Whiteboard: B2 [glsa cve]
Package list:
=net-im/pidgin-2.12.0
 Runtime testing required: ---

Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-10 10:40:31 UTC 
An out-of-bounds write vulnerability was found in purple_markup_unescape_entity. It can be triggered by sending invalid XML entities separated by whitespace, eg "&#3000;". In default installation, this can get called only when receiving data from a server.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-10 10:42:23 UTC 
@ Maintainer(s): Please bump to >=net-im/pidgin-2.12.0 and tell us if the ebuild is already ready for stabilization.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-03-10 11:32:21 UTC 
commit 537cb9899b69046682bbf4866d69ad6f03d70e7b
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Fri Mar 10 12:14:23 2017

    net-im/pidgin: Security bump to version 2.12.0 (bug #612188).

    Package-Manager: Portage-2.3.4, Repoman-2.3.2


Arches please test and mark stable =net-im/pidgin-2.12.0 with target KEYWORDS:

alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~amd64-linux ~x86-linux ~x86-macos
Comment 3 Agostino Sarubbo gentoo-dev 2017-03-10 13:09:19 UTC 
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-10 13:09:58 UTC 
x86 stable
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-03-10 16:59:09 UTC 
ppc64 stable.
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-11 17:21:30 UTC 
ia64 stable
Comment 7 Michael Weber (RETIRED) gentoo-dev 2017-03-11 23:13:46 UTC 
arm ppc stable.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-14 16:25:12 UTC 
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-03-17 10:43:18 UTC 
sparc stable
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2017-04-05 07:29:52 UTC 
Stable on alpha.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2017-04-19 06:29:03 UTC 
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 19:40:16 UTC 
This issue was resolved and addressed in
 GLSA 201706-10 at https://security.gentoo.org/glsa/201706-10
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 13 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-06-07 10:56:32 UTC 
Re-opening for cleanup
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2017-07-04 21:28:31 UTC 
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-07-05 09:26:39 UTC 
commit f8816e402b0d7af24582a5a6c1570c99343c61ab (HEAD -> master, origin/master, origin/HEAD)             
Author: Lars Wendler <polynomial-c@gentoo.org>      
Date:   Wed Jul 5 11:24:51 2017                     

    net-im/pidgin: Security cleanup for bug #612188 
                                                    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2017-08-09 01:54:27 UTC 
(In reply to Lars Wendler (Polynomial-C) from comment #15)
> commit f8816e402b0d7af24582a5a6c1570c99343c61ab (HEAD -> master,
> origin/master, origin/HEAD)             
> Author: Lars Wendler <polynomial-c@gentoo.org>      
> Date:   Wed Jul 5 11:24:51 2017                     
> 
>     net-im/pidgin: Security cleanup for bug #612188 
>                                                     
>     Package-Manager: Portage-2.3.6, Repoman-2.3.2

thank you.