Bug 9064

2.10.7 has been submitted to mga2. someone has to submit it to cauldron.

You do realize that I don't see these bugs unless you CC me, or I just happen to go looking for them?

Checking that it builds now in Cauldron, then I'll request the freeze push.

Thanks.

CC: (none) => luigiwalser
Whiteboard: (none) => MGA2TOO

Instead there should be a new secteam@mageia.org "user" in bugzilla added. This email address points to a mailman gpg encrypted mailinglist where certain secteam members are subscribed.

To me as a mageia "newbie" it's painful to reassign bugs as mageia does not seem to use a common name standard like "David Walser <dwalser@mageia.org". E-mail addresses in rpm changelogs are cloaked. Irc nicknames are cloaked, inconsistent and/or incomplete (no info attached).

Segfault reported by Simon (Bug 9075) fixed and package rebuilt.

Assigning to QA.

Advisory:
========================

Updated pidgin packages fix security vulnerabilities:

Remote MXit user could specify local file path in Pidgin before 2.10.7.
The MXit protocol plugin saves an image to local disk using a filename
that could potentially be partially specified by the IM server or by a
remote user (CVE-2013-0271).

MXit buffer overflow reading data from network in Pidgin before 2.10.7.
The code did not respect the size of the buffer when parsing HTTP
headers, and a malicious server or man-in-the-middle could send
specially crafted data that could overflow the buffer.  This could
lead to a crash or remote code execution (CVE-2013-0272).

Sametime crash with long user IDs in Pidgin before 2.10.7.  libpurple
failed to null-terminate user IDs that were longer than 4096 bytes.
It's plausible that a malicious server could send one of these to us,
which would lead to a crash (CVE-2013-0273).

Crash when receiving a UPnP response with abnormally long values in
Pidgin before 2.10.7.  libpurple failed to null-terminate some strings
when parsing the response from a UPnP router.  This could lead to a
crash if a malicious user on your network responds with a specially
crafted message (CVE-2013-0274).

Pidgin has been updated to 2.10.7, which fixes these and other issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://pidgin.im/news/security/?id=65
http://pidgin.im/news/security/?id=66
http://pidgin.im/news/security/?id=67
http://pidgin.im/news/security/?id=68
https://developer.pidgin.im/wiki/ChangeLog
========================

Updated packages in core/updates_testing:
========================
pidgin-2.10.7-1.1.mga2
pidgin-plugins-2.10.7-1.1.mga2
pidgin-perl-2.10.7-1.1.mga2
pidgin-tcl-2.10.7-1.1.mga2
pidgin-silc-2.10.7-1.1.mga2
libpurple-devel-2.10.7-1.1.mga2
libpurple0-2.10.7-1.1.mga2
libfinch0-2.10.7-1.1.mga2
finch-2.10.7-1.1.mga2
pidgin-bonjour-2.10.7-1.1.mga2
pidgin-meanwhile-2.10.7-1.1.mga2
pidgin-client-2.10.7-1.1.mga2
pidgin-i18n-2.10.7-1.1.mga2

from pidgin-2.10.7-1.1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO => (none)

No POC.  Connected to yahoo, IRC and ICQ and facebook chat.

Appicon does not show up in KDE4 task bar, but that's probably minor with the systray icon anyway.

MGA2-64 OK

CC: (none) => wrw105
Whiteboard: (none) => MGA2-64-OK

Testing complete mga2 32

Well done Bill, thankyou. Keep doing what you're doing :)
Connected WLM & IRC

Validating

Advisory & srpm in comment 4

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA2-64-OK => has_procedure MGA2-64-OK mga2-32-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0058

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED