Bug 14344

Summary: pidgin new security issues CVE-2014-369[4-6] and CVE-2014-3698
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, ottoleipala1, rverschelde, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/617972/
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory
Source RPM: pidgin-2.10.9-1.1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-10-22 18:32:34 CEST 
A new version of Pidgin has been released today, fixing security issues:
https://developer.pidgin.im/wiki/ChangeLog

Here are the corresponding security advisories:
http://www.pidgin.im/news/security/?id=86
http://www.pidgin.im/news/security/?id=87
http://www.pidgin.im/news/security/?id=88
http://www.pidgin.im/news/security/?id=90

Note that I didn't include CVE-2014-3697 which only affects Windows.

Freeze push has been requested for Cauldron.

Oden has uploaded updated packages for Mageia 3 and Mageia 4.

Advisory:
========================

Updated pidgin packages fix security vulnerabilities:

In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins (one
for GnuTLS and one for NSS) failed to check that the Basic Constraints
extension allowed intermediate certificates to act as CAs. This allowed
anyone with any valid certificate to create a fake certificate for any
arbitrary domain and Pidgin would trust it (CVE-2014-3694).

In Pidgin before 2.10.10, a malicious server or man-in-the-middle could
trigger a crash in libpurple by sending an emoticon with an overly large
length value (CVE-2014-3695).

In Pidgin before 2.10.10, a malicious server or man-in-the-middle could
trigger a crash in libpurple by specifying that a large amount of memory
should be allocated in many places in the UI (CVE-2014-3696).

In Pidgin before 2.10.10, a malicious server and possibly even a malicious
remote user could create a carefully crafted XMPP message that causes
libpurple to send an XMPP message containing arbitrary memory
(CVE-2014-3698).

The pidgin package has been updated to version 2.10.10 which fixes these
issues and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3694
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3695
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3698
http://www.pidgin.im/news/security/?id=86
http://www.pidgin.im/news/security/?id=87
http://www.pidgin.im/news/security/?id=88
http://www.pidgin.im/news/security/?id=90
https://developer.pidgin.im/wiki/ChangeLog
========================

Updated packages in core/updates_testing:
========================
pidgin-2.10.10-1.mga3
pidgin-plugins-2.10.10-1.mga3
pidgin-perl-2.10.10-1.mga3
pidgin-tcl-2.10.10-1.mga3
pidgin-silc-2.10.10-1.mga3
libpurple-devel-2.10.10-1.mga3
libpurple0-2.10.10-1.mga3
libfinch0-2.10.10-1.mga3
finch-2.10.10-1.mga3
pidgin-bonjour-2.10.10-1.mga3
pidgin-meanwhile-2.10.10-1.mga3
pidgin-client-2.10.10-1.mga3
pidgin-i18n-2.10.10-1.mga3
pidgin-2.10.10-1.mga4
pidgin-plugins-2.10.10-1.mga4
pidgin-perl-2.10.10-1.mga4
pidgin-tcl-2.10.10-1.mga4
pidgin-silc-2.10.10-1.mga4
libpurple-devel-2.10.10-1.mga4
libpurple0-2.10.10-1.mga4
libfinch0-2.10.10-1.mga4
finch-2.10.10-1.mga4
pidgin-bonjour-2.10.10-1.mga4
pidgin-meanwhile-2.10.10-1.mga4
pidgin-client-2.10.10-1.mga4
pidgin-i18n-2.10.10-1.mga4

from SRPMS:
pidgin-2.10.10-1.mga3.src.rpm
pidgin-2.10.10-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-10-22 18:32:40 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Otto Leipälä 2014-10-22 18:40:10 CEST 
I'll start to test it all releases and arch.

CC: (none) => ozkyster

Comment 2 Otto Leipälä 2014-10-23 16:45:08 CEST 
Update tested and validated sysadmin push this to updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok

Comment 3 Rémi Verschelde 2014-10-23 16:53:23 CEST 
Advisory uploaded.

CC: (none) => remi
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory

Comment 4 David Walser 2014-10-24 18:54:00 CEST 
Debian has issued an advisory for this on October 23:
https://www.debian.org/security/2014/dsa-3055

URL: (none) => http://lwn.net/Vulnerabilities/617972/

Comment 5 Mageia Robot 2014-10-25 22:23:46 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0425.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 Herman Viaene 2014-11-07 15:50:35 CET 
Works OK on Mageia4 KDE 64 bits

CC: (none) => herman.viaene