Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 612188 (CVE-2017-2640) - <net-im/pidgin-2.12.0: Out-of-bounds write in purple_markup_unescape_entity triggered by invalid XML
Summary: <net-im/pidgin-2.12.0: Out-of-bounds write in purple_markup_unescape_entity t...
Status: RESOLVED FIXED
Alias: CVE-2017-2640
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://pidgin.im/news/security/?id=109
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-10 10:40 UTC by Thomas Deutschmann
Modified: 2017-08-09 01:54 UTC (History)
1 user (show)

See Also:
Package list:
=net-im/pidgin-2.12.0
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2017-03-10 10:40:31 UTC
An out-of-bounds write vulnerability was found in purple_markup_unescape_entity. It can be triggered by sending invalid XML entities separated by whitespace, eg "&#3000;". In default installation, this can get called only when receiving data from a server.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-03-10 10:42:23 UTC
@ Maintainer(s): Please bump to >=net-im/pidgin-2.12.0 and tell us if the ebuild is already ready for stabilization.
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2017-03-10 11:32:21 UTC
commit 537cb9899b69046682bbf4866d69ad6f03d70e7b
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Fri Mar 10 12:14:23 2017

    net-im/pidgin: Security bump to version 2.12.0 (bug #612188).

    Package-Manager: Portage-2.3.4, Repoman-2.3.2


Arches please test and mark stable =net-im/pidgin-2.12.0 with target KEYWORDS:

alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~amd64-linux ~x86-linux ~x86-macos
Comment 3 Agostino Sarubbo gentoo-dev 2017-03-10 13:09:19 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2017-03-10 13:09:58 UTC
x86 stable
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-03-10 16:59:09 UTC
ppc64 stable.
Comment 6 Agostino Sarubbo gentoo-dev 2017-03-11 17:21:30 UTC
ia64 stable
Comment 7 Michael Weber (RETIRED) gentoo-dev 2017-03-11 23:13:46 UTC
arm ppc stable.
Comment 8 Jeroen Roovers gentoo-dev 2017-03-14 16:25:12 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2017-03-17 10:43:18 UTC
sparc stable
Comment 10 Tobias Klausmann gentoo-dev 2017-04-05 07:29:52 UTC
Stable on alpha.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2017-04-19 06:29:03 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2017-06-06 19:40:16 UTC
This issue was resolved and addressed in
 GLSA 201706-10 at https://security.gentoo.org/glsa/201706-10
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 13 Kristian Fiskerstrand gentoo-dev Security 2017-06-07 10:56:32 UTC
Re-opening for cleanup
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2017-07-04 21:28:31 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 15 Lars Wendler (Polynomial-C) gentoo-dev 2017-07-05 09:26:39 UTC
commit f8816e402b0d7af24582a5a6c1570c99343c61ab (HEAD -> master, origin/master, origin/HEAD)             
Author: Lars Wendler <polynomial-c@gentoo.org>      
Date:   Wed Jul 5 11:24:51 2017                     

    net-im/pidgin: Security cleanup for bug #612188 
                                                    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-08-09 01:54:27 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #15)
> commit f8816e402b0d7af24582a5a6c1570c99343c61ab (HEAD -> master,
> origin/master, origin/HEAD)             
> Author: Lars Wendler <polynomial-c@gentoo.org>      
> Date:   Wed Jul 5 11:24:51 2017                     
> 
>     net-im/pidgin: Security cleanup for bug #612188 
>                                                     
>     Package-Manager: Portage-2.3.6, Repoman-2.3.2

thank you.