13420 – pidgin new security issue CVE-2014-3775

Bug 13420 - pidgin new security issue CVE-2014-3775

Summary: pidgin new security issue CVE-2014-3775

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	4
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/599798/
Whiteboard:	MGA3TOO has_procedure advisory mga3-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2014-05-21 18:23 CEST by David Walser
Modified:	2014-07-26 13:57 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	pidgin-2.10.9-2.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-05-21 18:23:52 CEST

Ubuntu has issued an advisory today (May 21):
http://www.ubuntu.com/usn/usn-2216-1/

It looks like we're currently building against the bundled libgadu, but there's an option in the spec to build against the system version.  Unless there's a good reason not to, we should build against the system version.

For this update, I think we could either just rebuild it against the system version, or wait for the next Pidgin update upstream.

Reproducible: 

Steps to Reproduce:

David Walser 2014-05-21 18:23:59 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-07-07 23:39:52 CEST

Just in case we get tired of waiting for Pidgin 2.10.10, we would also want to fix the broken Yahoo! protocol in the next update for this package.  It can be fixed by disabling gnutls or possibly by adding this patch from upstream:
https://hg.pidgin.im/pidgin/main/rev/42ba908c25c7

Comment 2 David Walser 2014-07-07 23:58:19 CEST

pidgin-2.10.9-4.mga5 built with system libgadu in Cauldron.

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 David Walser 2014-07-11 20:03:10 CEST

Fixed packages uploaded for Mageia 3 and Mageia 4.

Note for the Yahoo! protocol, I believe the issue only affects Mageia 4 (as I didn't experience it until upgrading), but I've added the patch in both.  It shouldn't hurt anything in Mageia 3, but please do test it in both.

Advisory:
========================

Updated pidgin packages fix security vulnerability:

It was discovered that libgadu incorrectly handled certain messages from
file relay servers. A malicious remote server or a man in the middle could
use this issue to cause applications using libgadu to crash, resulting in a
denial of service, or possibly execute arbitrary code (CVE-2014-3775).

The pidgin package was built with a bundled copy of the libgadu library which
contained the vulnerable code.  It has now been built against the external
libgadu library, which had been fixed in a previous update.

This update also fixes an issue with the Yahoo! protocol that was caused by a
bad interaction with the GnuTLS library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3775
http://www.ubuntu.com/usn/usn-2216-1/
========================

Updated packages in core/updates_testing:
========================
pidgin-2.10.9-1.1.mga3
pidgin-plugins-2.10.9-1.1.mga3
pidgin-perl-2.10.9-1.1.mga3
pidgin-tcl-2.10.9-1.1.mga3
pidgin-silc-2.10.9-1.1.mga3
libpurple-devel-2.10.9-1.1.mga3
libpurple0-2.10.9-1.1.mga3
libfinch0-2.10.9-1.1.mga3
finch-2.10.9-1.1.mga3
pidgin-bonjour-2.10.9-1.1.mga3
pidgin-meanwhile-2.10.9-1.1.mga3
pidgin-client-2.10.9-1.1.mga3
pidgin-i18n-2.10.9-1.1.mga3
pidgin-2.10.9-1.1.mga4
pidgin-plugins-2.10.9-1.1.mga4
pidgin-perl-2.10.9-1.1.mga4
pidgin-tcl-2.10.9-1.1.mga4
pidgin-silc-2.10.9-1.1.mga4
libpurple-devel-2.10.9-1.1.mga4
libpurple0-2.10.9-1.1.mga4
libfinch0-2.10.9-1.1.mga4
finch-2.10.9-1.1.mga4
pidgin-bonjour-2.10.9-1.1.mga4
pidgin-meanwhile-2.10.9-1.1.mga4
pidgin-client-2.10.9-1.1.mga4
pidgin-i18n-2.10.9-1.1.mga4

from SRPMS:
pidgin-2.10.9-1.1.mga3.src.rpm
pidgin-2.10.9-1.1.mga4.src.rpm

Assignee: mageia => qa-bugs

Comment 4 Bill Wilkinson 2014-07-13 13:59:47 CEST

tested mga4-64

Yahoo and ICQ connect normally.  IRC connects to freenode with no problems.

As I don't have a gadu account, I attempted to create one, but the pidgin documentation refers to a register button which isn't there, so I'll have to let someone else with a gadu account test that part of it.

Will do general use on mga3 and i586.

CC: (none) => wrw105

Comment 5 Bill Wilkinson 2014-07-13 14:46:14 CEST

Mga3-64 works as above. Also no button to create a gadu account.

Comment 6 Bill Wilkinson 2014-07-13 16:00:06 CEST

mga 3&4 i586 both the same as above.

Comment 7 David Remy 2014-07-14 15:15:06 CEST

Tested on mga4-32

Yahoo, ICQ, MSN, AIM and IRC accounts all connect and work with no problems. I've created a Gadu account for testing and it connects but I don't have anyone to confirm chats are working. If anyone else has a Gadu account let me know and we can get each other added.

CC: (none) => dpremy

Comment 8 claire robinson 2014-07-14 16:55:52 CEST

Gadu is a polish language only IM service, we sometimes also get libgadu3 to test also ad the best we can do is to show the library being used without causing errors in the application.

We can validate this one.

Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 9 claire robinson 2014-07-14 17:29:33 CEST

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 10 Colin Guthrie 2014-07-26 13:57:17 CEST

Update pushed:

http://advisories.mageia.org/MGASA-2014-0295.html

Status: NEW => RESOLVED
CC: (none) => mageia
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.