Bug 5624

Summary: Upgrade Pidgin to 2.10.4 to fix CVE-2012-2214
Product: Mageia Reporter: Frédéric "LpSolit" Buclin <LpSolit>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, eeeemail, luigiwalser, mageia, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: Mageia 1   
Hardware: All   
OS: Linux   
URL: http://developer.pidgin.im/wiki/ChangeLog
Whiteboard:
Source RPM: pidgin-2.10.3-1.1.mga1.src.rpm CVE:
Status comment:
Bug Depends on: 2750, 4965    
Bug Blocks:    

Description Frédéric "LpSolit" Buclin 2012-04-27 01:06:00 CEST 
See bug 4965 comment 11: the upgrade to Pidgin 2.10.2 introduced a regression where the status of MSN buddies is broken. Per http://developer.pidgin.im/wiki/ChangeLog:

"2.10.3 fixes a problem with MSN buddies appearing online when they shouldn't."

This happened to me right now where several of my contacts appeared as being still online when they were in fact offline. I had to close and reopen my MSN account to get the right status again. This is a bit annoying. Pidgin has been upgraded to 2.10.3 in Cauldron, but not in Mageia 1.
David Walser 2012-04-27 01:48:11 CEST

CC: (none) => luigiwalser, mageia

Manuel Hiebel 2012-04-27 11:42:11 CEST

Assignee: bugsquad => mageia

Comment 1 Damien Lallement 2012-04-29 19:17:35 CEST 
WIP

Status: NEW => ASSIGNED

Comment 2 Damien Lallement 2012-05-02 16:00:53 CEST 
Advisory
------------
This pidgin update fixes a bug with MSN buddies appearing online when they are not. I also upgrade to 2.10.3 to allow upgrade from Mandriva 2010.2.

http://developer.pidgin.im/ticket/14997
-------------

SRPM: pidgin-2.10.3-1.1.mga1.src.rpm

Please test this update request.

Assignee: mageia => qa-bugs
Source RPM: pidgin-2.10.2-1.1.mga1 => pidgin-2.10.3-1.1.mga1.src.rpm

Comment 3 David Walser 2012-05-02 17:39:27 CEST 
Damien,

Please ask the sysadmins to delete the RPM you just build and resubmit it.

But first, delete the "subrel" line from the SPEC file.  The RPM you just built has a newer version than the one in Cauldron because of it.  The update for Mageia 1 should not have a subrel.

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia

Comment 4 Damien Lallement 2012-05-02 17:48:24 CEST 
Fixed in Cauldron. Please test this package. :-)
FYI, I'm sysadmin too.
Comment 5 David Walser 2012-05-02 17:51:20 CEST 
That wasn't the "appropriate" fix, but it will do.  Assigning back to QA.

CC: qa-bugs => (none)
Assignee: mageia => qa-bugs

Comment 6 Dave Hodgins 2012-05-02 20:47:07 CEST 
Testing complete on i586 for the srpm
pidgin-2.10.3-1.1.mga1.src.rpm

Tested using pidgin and finch.

CC: (none) => davidwhodgins

Comment 7 Damien Lallement 2012-05-03 13:32:21 CEST 
Please stop testing as I'm backporting a fix for bug #2750.

Depends on: (none) => 2750

Damien Lallement 2012-05-03 13:32:31 CEST

Assignee: qa-bugs => mageia

Comment 8 Frédéric "LpSolit" Buclin 2012-05-07 17:48:34 CEST 
Damien: Pidgin 2.10.4 has been releaed yesterday which fixes both the problem described in bug 2750 and also fixes two security bugs, see http://pidgin.im/news/security/. You could as well package 2.10.4 directly, and skip 2.10.3.
Comment 9 David Walser 2012-05-07 19:39:30 CEST 
Thanks Frédéric.  Damien, please update this for Cauldron also.

Summary: Upgrade Pidgin to 2.10.3 in Mageia 1 to fix a regression introduced in 2.10.2 => Upgrade Pidgin to 2.10.4 to fix CVE-2012-2214

Comment 10 Damien Lallement 2012-05-09 14:43:37 CEST 
Funda, as you played with it, I let you deal this update request.
Please, for future, tell me when working on my packages in order not to loose time on my side...

Assignee: mageia => fundawang

Comment 11 Funda Wang 2012-05-10 05:43:19 CEST 
*** Bug 2750 has been marked as a duplicate of this bug. ***

CC: (none) => eeeemail

Comment 12 Funda Wang 2012-05-10 05:44:15 CEST 
Packages pushed into mageia 1 core/updates_testing. Please test.

Assignee: fundawang => qa-bugs

Comment 13 David Walser 2012-05-10 15:04:12 CEST 
Now there's a CVE for both security issues fixed in 2.10.4

Note to QA: this is also in updates_testing for Cauldron and needs to be tested as an update for Mageia 2 as well.

Advisory:
========================

Updated pidgin packages fix security vulnerabilities:

A series of specially crafted file transfer requests can cause clients
to reference invalid memory. The user must have accepted one of the file
transfer requests (CVE-2012-2214).

Incoming messages with certain characters or character encodings can
cause clients to crash (CVE-2012-2318).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2318
http://pidgin.im/news/security/?id=62
http://pidgin.im/news/security/?id=63
========================

Updated packages in core/updates_testing:
========================
pidgin-2.10.4-1.mga1
pidgin-plugins-2.10.4-1.mga1
pidgin-perl-2.10.4-1.mga1
pidgin-tcl-2.10.4-1.mga1
pidgin-silc-2.10.4-1.mga1
libpurple-devel-2.10.4-1.mga1
libpurple0-2.10.4-1.mga1
libfinch0-2.10.4-1.mga1
finch-2.10.4-1.mga1
pidgin-bonjour-2.10.4-1.mga1
pidgin-meanwhile-2.10.4-1.mga1
pidgin-client-2.10.4-1.mga1
pidgin-i18n-2.10.4-1.mga1
pidgin-2.10.4-1.mga2
pidgin-plugins-2.10.4-1.mga2
pidgin-perl-2.10.4-1.mga2
pidgin-tcl-2.10.4-1.mga2
pidgin-silc-2.10.4-1.mga2
libpurple-devel-2.10.4-1.mga2
libpurple0-2.10.4-1.mga2
libfinch0-2.10.4-1.mga2
finch-2.10.4-1.mga2
pidgin-bonjour-2.10.4-1.mga2
pidgin-meanwhile-2.10.4-1.mga2
pidgin-client-2.10.4-1.mga2
pidgin-i18n-2.10.4-1.mga2

from SRPMS:
pidgin-2.10.4-1.mga1.src.rpm
pidgin-2.10.4-1.mga2.src.rpm
Comment 14 claire robinson 2012-05-10 17:28:55 CEST 
As discussed on IRC, QA is not responsible for testing updates in Cauldron. Until Cauldron is branched into final release, testing of updates there should be carried out in the usual manner and updates push requests posted to the dev ML as normal.

Thanks.
Comment 15 David Walser 2012-05-10 18:11:30 CEST 
Thanks for the clarification Claire.

Funda and Damien, if either of you can test and confirm this is working in Cauldron, you can submit a freeze push request today or tomorrow.
Comment 16 Damien Lallement 2012-05-10 18:27:34 CEST 
I asked Funda as he made this. I would never have push pidgin in testing... It's non sense as we are in freeze.
Comment 17 Damien Lallement 2012-05-10 18:28:01 CEST 
But please, test it for Mageia 1. This bug is for 1, not cauldron. ;-)
Comment 18 David Walser 2012-05-10 18:39:34 CEST 
Damien, we can't push an update for this in Mageia 1 if it's not in Cauldron.  Also, as Manuel just pointed out to me, final Cauldron freeze for security updates (as this is) happens after tomorrow.
Comment 19 Dave Hodgins 2012-05-10 23:13:32 CEST 
(In reply to comment #18)
> Damien, we can't push an update for this in Mageia 1 if it's not in Cauldron. 
> Also, as Manuel just pointed out to me, final Cauldron freeze for security
> updates (as this is) happens after tomorrow.

As pidgin is not on on the dvd, I don't see a problem pushing
the update for Mageia 1, as long as it gets pushed to core
updates in Cauldron, as well.
Comment 20 Dave Hodgins 2012-05-10 23:17:09 CEST 
Testing complete on i586 for Mageia 1, for the srpm
pidgin-2.10.4-1.mga1.src.rpm

Testing using yahoo, gmail, and a hotmail account.

Hardware: i586 => All

Comment 21 Damien Lallement 2012-05-16 13:10:07 CEST 
Ping? FYI, pidgin is now 2.10.4 in Cauldron.
Comment 22 David Walser 2012-05-16 15:40:46 CEST 
Tested on i586 in Comment 20, so this needs testing on x86_64 and then it can be pushed.
Comment 23 Frédéric "LpSolit" Buclin 2012-05-18 17:52:38 CEST 
Works for me too on i586 with Mga 1 using MSN, XMPP, AIM and IRC.
Comment 24 Dave Hodgins 2012-05-19 09:12:14 CEST 
The pidgin update still needs x86-64 testing.
Comment 25 Manuel Hiebel 2012-06-01 18:25:31 CEST 
pidgin ok on x86_64

Suggested Advisory:
-------------
Updated pidgin packages fix security vulnerabilities:

A series of specially crafted file transfer requests can cause clients
to reference invalid memory. The user must have accepted one of the file
transfer requests (CVE-2012-2214).

Incoming messages with certain characters or character encodings can
cause clients to crash (CVE-2012-2318).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2318
http://pidgin.im/news/security/?id=62
http://pidgin.im/news/security/?id=63

https://bugs.mageia.org/show_bug.cgi?id=5624
-------------

SRPM: pidgin-2.10.4-1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 26 Thomas Backlund 2012-06-10 04:38:53 CEST 
Update pushed.
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0109

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED