An out-of-bounds write vulnerability was found in purple_markup_unescape_entity. It can be triggered by sending invalid XML entities separated by whitespace, eg "ஸ". In default installation, this can get called only when receiving data from a server.
@ Maintainer(s): Please bump to >=net-im/pidgin-2.12.0 and tell us if the ebuild is already ready for stabilization.
commit 537cb9899b69046682bbf4866d69ad6f03d70e7b Author: Lars Wendler <polynomial-c@gentoo.org> Date: Fri Mar 10 12:14:23 2017 net-im/pidgin: Security bump to version 2.12.0 (bug #612188). Package-Manager: Portage-2.3.4, Repoman-2.3.2 Arches please test and mark stable =net-im/pidgin-2.12.0 with target KEYWORDS: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~amd64-linux ~x86-linux ~x86-macos
amd64 stable
x86 stable
ppc64 stable.
ia64 stable
arm ppc stable.
Stable for HPPA.
sparc stable
Stable on alpha.
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201706-10 at https://security.gentoo.org/glsa/201706-10 by GLSA coordinator Kristian Fiskerstrand (K_F).
Re-opening for cleanup
Maintainer(s), please drop the vulnerable version(s).
commit f8816e402b0d7af24582a5a6c1570c99343c61ab (HEAD -> master, origin/master, origin/HEAD) Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Jul 5 11:24:51 2017 net-im/pidgin: Security cleanup for bug #612188 Package-Manager: Portage-2.3.6, Repoman-2.3.2
(In reply to Lars Wendler (Polynomial-C) from comment #15) > commit f8816e402b0d7af24582a5a6c1570c99343c61ab (HEAD -> master, > origin/master, origin/HEAD) > Author: Lars Wendler <polynomial-c@gentoo.org> > Date: Wed Jul 5 11:24:51 2017 > > net-im/pidgin: Security cleanup for bug #612188 > > Package-Manager: Portage-2.3.6, Repoman-2.3.2 thank you.