After the source: Incorrect handing of inline images in incoming instant messages can cause a buffer overflow and in some cases can be exploited to execute arbitrary code. Reproducible: Didn't try
+*pidgin-2.10.5 (06 Jul 2012) + + 06 Jul 2012; Lars Wendler <polynomial-c@gentoo.org> +pidgin-2.10.5.ebuild: + Security bump (bug #425076). +
2.10.6 fixes a bug which was introduced with 2.10.5
+*pidgin-2.10.6 (09 Jul 2012) + + 09 Jul 2012; Lars Wendler <polynomial-c@gentoo.org> -pidgin-2.10.5.ebuild, + +pidgin-2.10.6.ebuild: + non-maintainer commit: Version bump. Removed "old". +
Thanks for the report, Andrzej. @net-im, may we proceed to stabilize =net-im/pidgin-2.10.6 ?
CVE-2012-3374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3374): Buffer overflow in markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a crafted inline image in a message.
Will it be stabilized anytime soon?
go stable!
x86 stable, thanks.
ppc done
Stable for HPPA.
amd64 stable
alpha/ia64/sparc stable
ppc64 stable, last arch done
Thanks, everyone. Filing a new GLSA request.
This issue was resolved and addressed in GLSA 201209-17 at http://security.gentoo.org/glsa/glsa-201209-17.xml by GLSA coordinator Sean Amoss (ackle).