Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 283324 (CVE-2009-3026) - <net-im/pidgin-2.5.9-r1: Information disclosure during XMPP session (CVE-2009-3026)
Summary: <net-im/pidgin-2.5.9-r1: Information disclosure during XMPP session (CVE-2009...
Status: RESOLVED FIXED
Alias: CVE-2009-3026
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/36384/
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-08-31 12:37 UTC by Tobias Heinlein (RETIRED)
Modified: 2009-10-22 19:13 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2009-08-31 12:37:48 UTC
From secunia:

2) The application connects to Jabberd servers that are not fully compliant with the XMPP specifications without encryption, even if the "Require SSL/TLS" setting is configured. This can be exploited to potentially disclose sensitive information transmitted during an XMPP session.

The security issue is reported in versions prior to 2.6.0.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-31 12:42:25 UTC
More information at http://developer.pidgin.im/ticket/8131

net-im, can we stabilize 2.6.1 or do you want to backport the patch to 2.5.9?
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-31 12:45:46 UTC
Just for the record: =2.6.0 is affected by another vulnerability listed at $URL.
Comment 3 Olivier Crete (RETIRED) gentoo-dev 2009-08-31 16:10:31 UTC
I think we should wait for 2.6.1, it adds new deps that are not keyworded on all architectures yet. And has lots of new features, especially video calling.

So I added net-im/pidgin-2.5.9-r1 with the backported fix. 
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2009-08-31 16:45:22 UTC
Thanks for the fast response.

Arches, please test and mark stable:
=net-im/pidgin-2.5.9-r1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-01 06:56:21 UTC
x86 stable
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-01 11:03:39 UTC
CVE-2009-3026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3026):
  protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly
  other versions, does not follow the "require TLS/SSL" preference when
  connecting to older Jabber servers that do not follow the XMPP
  specification, which causes libpurple to connect to the server
  without the expected encryption and allows remote attackers to sniff
  sessions.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-01 14:07:11 UTC
Stable for HPPA.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-09-02 18:41:04 UTC
alpha/ia64/sparc stable
Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-06 10:40:49 UTC
amd64 stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-09-06 23:39:01 UTC
ppc64 done
Comment 11 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-09-26 19:10:43 UTC
ppc stable.
That was the last arch so this bug is ready to be fixed by security team.

Btw, STABLEREQ isn't in KEYWORDS so this bug wasn't in my list.
Let me know if it's not mandatory for security bugs so I can update my bug list.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-09-28 18:24:53 UTC
Thanks!
Ready to vote, I vote NO.

Thanks for pointing out the missing STABLEREQ, the Gentoo Linux Vulnerability Treatment Policy (http://www.gentoo.org/security/en/vulnerability-policy.xml) says:

"once an ebuild is committed, evaluate what keywords are needed for the fix ebuild and get arch-specific teams to test and mark the ebuild stable on their architectures (arch-teams should be cc'd on the bug, as well as releng during release preparation) and set status whiteboard to stable"

It's not mentioned, but I think it is desirable to add it. Maybe the GLVTP should be updated?
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-01 12:51:47 UTC
(In reply to comment #12)
> Thanks!
> Ready to vote, I vote NO.

No further votes necessary, the issue is already drafted. Needless to say, I vote YES.

> Thanks for pointing out the missing STABLEREQ, the Gentoo Linux Vulnerability
> Treatment Policy (http://www.gentoo.org/security/en/vulnerability-policy.xml)
> says: [...]
> 
> It's not mentioned, but I think it is desirable to add it. Maybe the GLVTP
> should be updated?

I just put this in the coordinator guide as I think it rather belongs there.
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-22 19:13:01 UTC
GLSA 200910-02, thanks everyone.