From ${URL} : Description Multiple vulnerabilities have been reported in Pidgin, which can be exploited by malicious people to manipulate certain data, cause a DoS (Denial of Service), and compromise a user's system. 1) An error within the MXit protocol plugin when saving images can be exploited to overwrite certain files. 2) A boundary error within the "mxit_cb_http_read()" function (libpurple/protocols/mxit/http.c) when parsing incoming HTTP headers can be exploited to cause a stack-based buffer overflow via a specially crafted HTTP header. Successful exploitation of this vulnerability may allow execution of arbitrary code. 3) An error within the "mw_prpl_normalize()" function (libpurple/protocols/sametime/sametime.c) when handling user ID longer than 4096 bytes can be exploited to cause a crash. 4) Some errors within the "upnp_parse_description_cb()", "purple_upnp_discover_send_broadcast()", "looked_up_public_ip_cb()", "looked_up_internal_ip_cb()", "purple_upnp_set_port_mapping()", and "purple_upnp_remove_port_mapping()" functions (libpurple/upnp.c) when handling UPnP requests can be exploited to cause crashes. The vulnerabilities are reported in version 2.10.6. Prior versions may also be affected. Solution Update to version 2.10.7. Provided and/or discovered by The vendor credits: 1) Chris Wysopal, Veracode 2, 3, 4) Coverity static analysis Original Advisory Pidgin: http://www.pidgin.im/news/security/?id=65 http://www.pidgin.im/news/security/?id=66 http://www.pidgin.im/news/security/?id=67 http://www.pidgin.im/news/security/?id=68
*** Bug 458304 has been marked as a duplicate of this bug. ***
Renaming the ebuild works well for me. I've added a patch that is already included in upstream's vcs to prevent a crash caused by a plugin. https://git.overlays.gentoo.org/gitweb/?p=user/mrueg.git;a=tree;f=net-im/pidgin;hb=HEAD
CVE-2013-0274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0274): upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network. CVE-2013-0273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0273): sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet. CVE-2013-0272 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0272): Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header. CVE-2013-0271 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0271): The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname.
+*pidgin-2.10.7 (11 Mar 2013) + + 11 Mar 2013; Lars Wendler <polynomial-c@gentoo.org> +pidgin-2.10.7.ebuild, + +files/pidgin-2.10.7-fix-cap.patch: + Non-maintainer commit: Security bump (bug #457580). Thanks to Manuel Rüger + for making us aware of a needed patch. +
Arches, please test and mark stable: =net-im/pidgin-2.10.7 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
You missed Manuel latest addition to the ebuild: epatch_user
amd64 stable
x86 stable
Stable for HPPA.
ppc stable
ppc64 stable
alpha stable
ia64 stable
sparc stable
New GLSA request filed.
For the record. I've revbumped pidgin due to bug #461530 and comitted that revision straight to stable. So if you push out the GLSA you might want to reference to net-im/pidgin-2.10.7-r1
This issue was resolved and addressed in GLSA 201405-22 at http://security.gentoo.org/glsa/glsa-201405-22.xml by GLSA coordinator Sean Amoss (ackle).