Bug 6709

Summary: [Update Request] Update pidgin to fix CVE-2012-3374
Product: Mageia Reporter: Funda Wang <fundawang>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, fundawang, luigiwalser, mageia, olivier.delaune, shlomif, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3374
Whiteboard: MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK, MGA1-64-OK
Source RPM: pidgin-2.10.5-1.mga CVE:
Status comment:

Description Funda Wang 2012-07-06 04:14:25 CEST 
Pidgin version less than 2.10.5 contain a security vulnerability, which will cause a buffer overflow when parsing incoming messages containing inline images (CVE-2012-3374).

The packages in Mageia 2 and Mageia 1 has been updated to 2.10.5 to fix this vulnerability.
Funda Wang 2012-07-06 04:15:22 CEST

Whiteboard: (none) => MGA1TOO

Olivier Delaune 2012-07-06 06:40:10 CEST

CC: (none) => olivier.delaune
Blocks: (none) => 6705

Comment 1 Sander Lepik 2012-07-06 09:59:39 CEST 
Tested on mga1 x86_64, seems to work as before.

CC: (none) => sander.lepik
Whiteboard: MGA1TOO => MGA1TOO, MGA1-64-OK

Comment 2 David Walser 2012-07-06 13:48:59 CEST 
*** Bug 6705 has been marked as a duplicate of this bug. ***

Blocks: 6705 => (none)
CC: (none) => luigiwalser

Comment 3 David Walser 2012-07-06 13:53:23 CEST 
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3374
http://www.pidgin.im/news/security/?id=64
http://developer.pidgin.im/wiki/ChangeLog

Packages in core/updates_testing:
pidgin-2.10.5-1.mga1
pidgin-plugins-2.10.5-1.mga1
pidgin-perl-2.10.5-1.mga1
pidgin-tcl-2.10.5-1.mga1
pidgin-silc-2.10.5-1.mga1
libpurple-devel-2.10.5-1.mga1
libpurple0-2.10.5-1.mga1
libfinch0-2.10.5-1.mga1
finch-2.10.5-1.mga1
pidgin-bonjour-2.10.5-1.mga1
pidgin-meanwhile-2.10.5-1.mga1
pidgin-client-2.10.5-1.mga1
pidgin-i18n-2.10.5-1.mga1
pidgin-2.10.5-1.mga2
pidgin-plugins-2.10.5-1.mga2
pidgin-perl-2.10.5-1.mga2
pidgin-tcl-2.10.5-1.mga2
pidgin-silc-2.10.5-1.mga2
libpurple-devel-2.10.5-1.mga2
libpurple0-2.10.5-1.mga2
libfinch0-2.10.5-1.mga2
finch-2.10.5-1.mga2
pidgin-bonjour-2.10.5-1.mga2
pidgin-meanwhile-2.10.5-1.mga2
pidgin-client-2.10.5-1.mga2
pidgin-i18n-2.10.5-1.mga2

from SRPMS:
pidgin-2.10.5-1.mga1.src.rpm
pidgin-2.10.5-1.mga2.src.rpm
David Walser 2012-07-06 22:20:26 CEST

CC: (none) => shlomif

Comment 4 David Walser 2012-07-06 22:22:09 CEST 
A bug snuck into 2.10.5 (see the website or ChangeLog), so 2.10.6 has been released to fix that.  We should provide it.

CC: (none) => qa-bugs
Assignee: qa-bugs => fundawang

Comment 5 David Walser 2012-07-07 16:19:36 CEST 
Built by Funda.  Thanks Funda.

Packages in core/updates_testing:
pidgin-2.10.6-1.mga1
pidgin-plugins-2.10.6-1.mga1
pidgin-perl-2.10.6-1.mga1
pidgin-tcl-2.10.6-1.mga1
pidgin-silc-2.10.6-1.mga1
libpurple-devel-2.10.6-1.mga1
libpurple0-2.10.6-1.mga1
libfinch0-2.10.6-1.mga1
finch-2.10.6-1.mga1
pidgin-bonjour-2.10.6-1.mga1
pidgin-meanwhile-2.10.6-1.mga1
pidgin-client-2.10.6-1.mga1
pidgin-i18n-2.10.6-1.mga1
pidgin-2.10.6-1.mga2
pidgin-plugins-2.10.6-1.mga2
pidgin-perl-2.10.6-1.mga2
pidgin-tcl-2.10.6-1.mga2
pidgin-silc-2.10.6-1.mga2
libpurple-devel-2.10.6-1.mga2
libpurple0-2.10.6-1.mga2
libfinch0-2.10.6-1.mga2
finch-2.10.6-1.mga2
pidgin-bonjour-2.10.6-1.mga2
pidgin-meanwhile-2.10.6-1.mga2
pidgin-client-2.10.6-1.mga2
pidgin-i18n-2.10.6-1.mga2

from SRPMS:
pidgin-2.10.6-1.mga1.src.rpm
pidgin-2.10.6-1.mga2.src.rpm

CC: qa-bugs => fundawang
Assignee: fundawang => qa-bugs

Sander Lepik 2012-07-07 16:23:22 CEST

Whiteboard: MGA1TOO, MGA1-64-OK => MGA1TOO

Comment 6 Dave Hodgins 2012-07-08 03:18:25 CEST 
No POC, so just testing that pidgin is working.

Testing complete on Mageia 1 i586.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO => MGA1TOO, MGA1-32-OK

Comment 7 Dave Hodgins 2012-07-08 04:22:55 CEST 
Testing complete on Mageia 2 i586.

Whiteboard: MGA1TOO, MGA1-32-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK

Comment 8 Shlomi Fish 2012-07-08 10:43:47 CEST 
Works fine on Mageia 2 x86-64.

Regards,

-- Shlomi Fish.

Whiteboard: MGA1TOO, MGA1-32-OK, MGA2-32-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK

Comment 9 Samuel Verschelde 2012-07-08 14:48:28 CEST 
Works fine on Mageia 1 x86_64.

No added dependencies detected by depcheck.

Update validated for both Mageia 2 and Mageia 1, see comment #5 for SRPMs.

Advisory :

Pidgin in versions less than 2.10.5 contains a security vulnerability, which will
cause a buffer overflow when parsing incoming messages containing inline images
(CVE-2012-3374).

The packages in Mageia 2 and Mageia 1 have been updated to 2.10.6 to fix this
vulnerability.

Keywords: (none) => validated_update
CC: (none) => stormi, sysadmin-bugs
Whiteboard: MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK, MGA1-64-OK

Comment 10 David Walser 2012-07-09 20:23:04 CEST 
Advisory issued by Debian on July 8:
http://www.debian.org/security/2012/dsa-2509
http://lwn.net/Vulnerabilities/505986/
Comment 11 Thomas Backlund 2012-07-10 02:22:18 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0154

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED