Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 425076 (CVE-2012-3374) - <net-im/pidgin-2.10.6: MXit buffer overflow (CVE-2012-3374)
Summary: <net-im/pidgin-2.10.6: MXit buffer overflow (CVE-2012-3374)
Status: RESOLVED FIXED
Alias: CVE-2012-3374
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://www.pidgin.im/news/security/in...
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-06 16:03 UTC by ChaosEngine
Modified: 2012-09-27 12:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ChaosEngine 2012-07-06 16:03:34 UTC
After the source:

Incorrect handing of inline images in incoming instant messages can cause a buffer overflow and in some cases can be exploited to execute arbitrary code.

Reproducible: Didn't try
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2012-07-06 16:25:46 UTC
+*pidgin-2.10.5 (06 Jul 2012)
+
+  06 Jul 2012; Lars Wendler <polynomial-c@gentoo.org> +pidgin-2.10.5.ebuild:
+  Security bump (bug #425076).
+
Comment 2 Manuel Rüger (RETIRED) gentoo-dev 2012-07-07 00:04:13 UTC
2.10.6 fixes a bug which was introduced with 2.10.5
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2012-07-09 14:01:42 UTC
+*pidgin-2.10.6 (09 Jul 2012)
+
+  09 Jul 2012; Lars Wendler <polynomial-c@gentoo.org> -pidgin-2.10.5.ebuild,
+  +pidgin-2.10.6.ebuild:
+  non-maintainer commit: Version bump. Removed "old".
+
Comment 4 Sean Amoss gentoo-dev Security 2012-07-11 23:31:43 UTC
Thanks for the report, Andrzej.

@net-im, may we proceed to stabilize =net-im/pidgin-2.10.6 ?
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-07-12 00:54:21 UTC
CVE-2012-3374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3374):
  Buffer overflow in markup.c in the MXit protocol plugin in libpurple in
  Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a
  crafted inline image in a message.
Comment 6 ChaosEngine 2012-07-30 12:30:49 UTC
Will it be stabilized anytime soon?
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2012-08-09 00:11:57 UTC
go stable!
Comment 8 Andreas Schürch gentoo-dev 2012-08-09 16:06:23 UTC
x86 stable, thanks.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2012-08-09 18:24:34 UTC
ppc done
Comment 10 Jeroen Roovers gentoo-dev 2012-08-10 13:45:50 UTC
Stable for HPPA.
Comment 11 Agostino Sarubbo gentoo-dev 2012-08-10 17:19:03 UTC
amd64 stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2012-08-19 14:20:30 UTC
alpha/ia64/sparc stable
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2012-09-20 12:59:57 UTC
ppc64 stable, last arch done
Comment 14 Sean Amoss gentoo-dev Security 2012-09-20 13:28:42 UTC
Thanks, everyone.

Filing a new GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-09-27 12:14:47 UTC
This issue was resolved and addressed in
 GLSA 201209-17 at http://security.gentoo.org/glsa/glsa-201209-17.xml
by GLSA coordinator Sean Amoss (ackle).