Bug 4965

Advisory:
This update of pidgin fix CVE-2012-1178 to prevent possible MSN remote crash because of bad encoded text received.

Packages:
- pidgin-2.10.1-1.1.mga1
- pidgin-plugins-2.10.1-1.1.mga1
- pidgin-perl-2.10.1-1.1.mga1
- pidgin-tcl-2.10.1-1.1.mga1
- pidgin-silc-2.10.1-1.1.mga1
- lib64purple-devel-2.10.1-1.1.mga1
- lib64purple0-2.10.1-1.1.mga1
- lib64finch0-2.10.1-1.1.mga1
- finch-2.10.1-1.1.mga1
- pidgin-bonjour-2.10.1-1.1.mga1
- pidgin-meanwhile-2.10.1-1.1.mga1
- pidgin-client-2.10.1-1.1.mga1
- pidgin-i18n-2.10.1-1.1.mga1
- pidgin-debug-2.10.1-1.1.mga1

Status: NEW => ASSIGNED
Assignee: mageia => qa-bugs

Testing complete on i586 for the srpm
pidgin-2.10.1-1.1.mga1.src.rpm

Just testing that pidgin is working with my Yahoo, hotmail, and gmail
accounts.  Same with finch.

CC: (none) => davidwhodgins

Just for reference, Mandriva says there's another CVE also fixed in this version:
CVE-2011-4939

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4939
http://pidgin.im/news/security/?id=60
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:029

(In reply to comment #3)
> Just for reference, Mandriva says there's another CVE also fixed in this
> version

It's not just Mandriva who says this. :) Simply look at this list, and check the Fixed In column: http://pidgin.im/news/security/

It was for CVE-2012-1178, not CVE-2011-4939.
My bad...
As Mandriva having pidgin 2.10.2 in testing, I will change the update request for 2.10.2 (instead of 2.10.1 + patch).
I will reassign to QA when available.

Assignee: qa-bugs => mageia

pidgin-2.10.2-1.1.mga1.src.rpm now available in core/updates_testing.

Assignee: mageia => qa-bugs

Advisory:
This update of pidgin fix CVE-2012-1178 and CVE-2011-4939. It also upgrade to 2.10.2 to allow upgrade from Mandriva 2010.2.

Summary: pidgin new security issue CVE-2012-1178 => pidgin new security issues: CVE-2012-1178 and CVE-2011-4939

Tested on x86_64, seems to work as before.

CC: (none) => sander.lepik

Tested OK i586. No PoC's.

Validating


Advisory
------------
This update to pidgin fixes two vulnerabilities. It also upgrades to
2.10.2 to allow upgrade from Mandriva 2010.2.

CVE-2012-1178 - The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding. 
CVE-2011-4939 - The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4939
-------------

SRPM: pidgin-2.10.2-1.1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note that 2.10.2 broke the status of MSN buddies, see http://developer.pidgin.im/wiki/ChangeLog

"2.10.3 fixes a problem with MSN buddies appearing online when they shouldn't."

This is a regression in 2.10.2, so people upgrading to this version will be affected by this bug.

(In reply to comment #11)
> Note that 2.10.2 broke the status of MSN buddies, see
> http://developer.pidgin.im/wiki/ChangeLog
> 
> "2.10.3 fixes a problem with MSN buddies appearing online when they shouldn't."
> 
> This is a regression in 2.10.2, so people upgrading to this version will be
> affected by this bug.

Could you open a new bug report for this?