Bug 20442

Summary: pidgin new security issue CVE-2017-2640
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, shlomif, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: pidgin-2.11.0-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-03-10 12:11:17 CET 
Pidgin 2.12.0 has been released on March 9, fixing a security issue:
https://bitbucket.org/pidgin/www/src/tip/htdocs/ChangeLog?fileviewer=file-view-default

It also fixed Freenode IRC authentication and a certificate validation error with Google that causes some users to not be able to connect (and others to not be able to stay connected).

Protocols for dead services have been removed, and some for upstream protocols that changed have been moved to third-party plugins.  It would be nice if we could package the new Yahoo! plugin.
David Walser 2017-03-10 12:11:26 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Shlomi Fish 2017-03-10 19:24:42 CET 
The package in Cauldron/v6 was already updated and I submitted an update to mga5 core/updates_testing.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 David Walser 2017-03-11 17:12:55 CET 
Thanks!  Any chance we can get that Yahoo! plugin packaged?

Advisory:
========================

Updated pidgin packages fix security vulnerability:

A server controlled by an attacker can send an invalid XML that can trigger an
out-of-bound memory access. This might lead to a crash or, in some extreme
cases, to remote code execution in the client-side (CVE-2017-2640).

The pidgin package has been updated to version 2.12.0, which fixes this issue
and other bugs, including certificate validation for the Google Talk protocol.
It also removes protocol plugins for services that are no longer available or
supported.  See the upstream ChangeLog for details.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2640
http://pidgin.im/news/security/?id=109
https://bitbucket.org/pidgin/www/src/tip/htdocs/ChangeLog?fileviewer=file-view-default
https://www.debian.org/security/2017/dsa-3806
========================

Updated packages in core/updates_testing:
========================
pidgin-2.12.0-1.mga5
pidgin-plugins-2.12.0-1.mga5
pidgin-perl-2.12.0-1.mga5
pidgin-tcl-2.12.0-1.mga5
pidgin-silc-2.12.0-1.mga5
libpurple-devel-2.12.0-1.mga5
libpurple0-2.12.0-1.mga5
libfinch0-2.12.0-1.mga5
finch-2.12.0-1.mga5
pidgin-bonjour-2.12.0-1.mga5
pidgin-meanwhile-2.12.0-1.mga5
pidgin-client-2.12.0-1.mga5
pidgin-i18n-2.12.0-1.mga5

from pidgin-2.12.0-1.mga5.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs

Dave Hodgins 2017-03-16 20:20:48 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 3 Dave Hodgins 2017-03-31 00:11:01 CEST 
Testing under virtualbox is showing a regression.

Before the update on an m5 i586 install, pidgin is working for irc. After
the update it isn't, and on the modify account dialog, the drop down box
for the protocol does not show any protocols to select from.

Whiteboard: advisory => advisory feedback

Comment 4 David Walser 2017-03-31 03:08:40 CEST 
Dave, did you update all of the relevant packages?
Comment 5 Dave Hodgins 2017-04-04 06:39:42 CEST 
That's embarrassing. Retested making sure I installed all of the updates, and it's
working. Not sure what I missed before.

Tested before and after installing the updates on both i586 and x86_64.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: advisory feedback => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2017-04-04 08:44:55 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0102.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED