Bug 30438

Summary: pidgin new security issue CVE-2022-26491
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, guillaume.royer, mageia, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=29149
Whiteboard: MGA8-64-OK
Source RPM: pidgin-2.14.1-6.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-05-16 20:12:37 CEST 
SUSE has issued an advisory today (May 16):
https://lists.suse.com/pipermail/sle-security-updates/2022-May/011017.html

The issue is fixed upstream in 2.14.9.
David Walser 2022-05-16 20:13:04 CEST

Status comment: (none) => Fixed upstream in 2.14.9
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29149

Comment 2 Nicolas Lécureuil 2022-05-18 09:40:10 CEST 
Fixed in mga8:

src:
    - pidgin-2.14.1-6.1.mga8

Assignee: smelror => qa-bugs
Status comment: Fixed upstream in 2.14.9 => (none)
CC: (none) => mageia, smelror

Comment 3 David Walser 2022-05-18 18:29:56 CEST 
pidgin-2.14.1-6.1.mga8
pidgin-plugins-2.14.1-6.1.mga8
libpurple0-2.14.1-6.1.mga8
libpurple-devel-2.14.1-6.1.mga8
pidgin-perl-2.14.1-6.1.mga8
finch-2.14.1-6.1.mga8
pidgin-client-2.14.1-6.1.mga8
pidgin-silc-2.14.1-6.1.mga8
pidgin-meanwhile-2.14.1-6.1.mga8
pidgin-bonjour-2.14.1-6.1.mga8
libfinch0-2.14.1-6.1.mga8
pidgin-tcl-2.14.1-6.1.mga8
pidgin-i18n-2.14.1-6.1.mga8

from pidgin-2.14.1-6.1.mga8.src.rpm
Comment 4 David Walser 2022-05-19 19:00:22 CEST 
Fedora has issued an advisory for this today (May 19):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/56CQ66SQFAFDB2JPMOCRC2IJISJ4Y5FX/

Upstream has issued an advisory for this on April 28:
https://pidgin.im/about/security/advisories/cve-2022-26491/

Severity: normal => major

Comment 5 Guillaume Royer 2022-05-24 16:11:59 CEST 
MGA XFCE 

Updated with QA repo and rpms:

lib64purple0                   2.14.1       6.1.mga8      x86_64  
pidgin                         2.14.1       6.1.mga8      x86_64  
pidgin-i18n                    2.14.1       6.1.mga8      noarch  
pidgin-plugins                 2.14.1       6.1.mga8      x86_64 

Tested with IRC chat, ok for me.

CC: (none) => guillaume.royer

Comment 6 Thomas Andrews 2022-05-27 16:16:11 CEST 
mga8-64 Plasma system. Installed pidgin, no issues. Once upon a time I had accounts with AIM and ICQ, but I've long since forgotten the necessary information to use them, if even they still exist. So, I also installed purple-facebook, and then successfully logged in to Facebook Messenger.

Updated using qarepo, then re-ran pidgin, which automatically logged into Facebook Messenger again, showing which of my friends were available to chat. 

Looks OK here, too. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-05-28 02:49:32 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 7 Mageia Robot 2022-05-28 10:57:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0208.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED