Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 372785 (CVE-2011-2485) - <net-im/pidgin-2.9.0: remote denial-of-service bug related to displaying buddy icons (CVE-2011-2485)
Summary: <net-im/pidgin-2.9.0: remote denial-of-service bug related to displaying budd...
Status: RESOLVED FIXED
Alias: CVE-2011-2485
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://pidgin.im/news/security/?id=52
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-24 09:12 UTC by tman
Modified: 2012-06-21 18:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description tman 2011-06-24 09:12:00 UTC
new version released. please bump

http://developer.pidgin.im/wiki/ChangeLog

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2011-06-24 17:13:57 UTC
Fixed:
 * Fix a potential remote denial-of-service bug related to displaying buddy icons.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-06-26 16:01:14 UTC
(In reply to comment #0)
> new version released. please bump
> 

Thank you for the report, tman.
Comment 3 Peter Volkov (RETIRED) gentoo-dev 2011-06-27 12:58:04 UTC
New version is in the tree. Arch teams, please, test and stabilize. TIA.
Comment 4 Agostino Sarubbo gentoo-dev 2011-06-27 16:13:45 UTC
It requires: =net-libs/libgadu-1.11.0, advise from maintainer?
Comment 5 Agostino Sarubbo gentoo-dev 2011-06-27 16:54:10 UTC
I'm not a pidgin guru, but when I open:


(18:49:22) pounce: Error reading pounces: Failed to open file '/home/ago/.purple/pounces.xml': No such file or directory
(18:49:22) gtkutils: gdk_pixbuf_new_from_file() returned nothing for file /usr/share/icons/hicolor/scalable/apps/pidgin.svg: Couldn't recognize the image file format for file '/usr/share/icons/hicolor/scalable/apps/pidgin.svg'


Are they expected?

And from build log:

/bin/sh ../../../libtool --silent  --tag=CC   --mode=compile x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../../..  -I../../.. -I../../../libpurple -I../../../libpurple -DLIBDIR=\"/usr/lib64/purple-2\" -Wall  -DPURPLE_DISABLE_DEPRECATED -DPIDGIN_DISABLE_DEPRECATED -DFINCH_DISABLE_DEPRECATED -DGNT_DISABLE_DEPRECATED -Waggregate-return -Wcast-align -Wdeclaration-after-statement -Wendif-labels -Werror-implicit-function-declaration -Wextra -Wno-sign-compare -Wno-unused-parameter -Wformat-security -Werror=format-security -Winit-self -Wmissing-declarations -Wmissing-noreturn -Wmissing-prototypes -Wpointer-arith -Wundef -Wp,-D_FORTIFY_SOURCE=2 -pthread -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include    -D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64  -I/usr/lib64/perl5/5.12.3/x86_64-linux-thread-multi/CORE    -g -march=native -O2 -g0 -MT perl-handlers.lo -MD -MP -MF .deps/perl-handlers.Tpo -c -o perl-handlers.lo perl-handlers.c

Can you drop -pipe and -g? TY
Comment 6 Ian Delaney (RETIRED) gentoo-dev 2011-06-27 17:12:17 UTC
amd64:

net-libs/libgadu-1.11.0 suffers from a test failure atm.

Otherwise emerged and seem to work
Comment 7 Andreas Schürch gentoo-dev 2011-06-28 06:33:50 UTC
I tested libgadu and pidgin on x86. All good here.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-06-29 01:55:48 UTC
Stable for HPPA.
Comment 9 Thomas Kahle (RETIRED) gentoo-dev 2011-06-29 12:45:14 UTC
x86 stable. Thanks Andreas
Comment 10 Christoph Mende (RETIRED) gentoo-dev 2011-06-29 15:03:32 UTC
amd64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2011-07-03 16:22:22 UTC
alpha/ia64/sparc stable
Comment 12 Mark Loeser (RETIRED) gentoo-dev 2011-07-06 22:47:32 UTC
ppc64 done
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-07-09 16:49:49 UTC
ppc stable, last arch done
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-07-09 18:30:05 UTC
Thanks, folks. GLSA Vote: no.
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:34:49 UTC
Vote: YES. Added to pending GLSA request.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:29:05 UTC
This issue was resolved and addressed in
 GLSA 201206-11 at http://security.gentoo.org/glsa/glsa-201206-11.xml
by GLSA coordinator Stefan Behte (craig).