Bug 22729 - Pidgin 2.13.0
Summary: Pidgin 2.13.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-09 19:00 CET by David Walser
Modified: 2018-06-03 13:03 CEST (History)
3 users (show)

See Also:
Source RPM: pidgin-2.12.0-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-03-09 19:00:16 CET 
Pidgin 2.13.0 has been released on March 8.  It fixes some bugs that could lead to security issues, including use-after-free and out-of-bounds reads.  We should update it for Mageia 6.  The full ChangeLog is pasted below as it hasn't been posted on their website yet.

Note that Shlomi did a build but has the wrong release tag (0.1) and it should just be 1 (rel 1, no subrel).

version 2.13.0 (03/08/2018):
	libpurple:
	* Unified string comparison. (PR #186) (Arkadiy Illarionov)
	* Properlly shell escape URI's when opening them. (PR #271 Daniel Kamil Kozar)
	* Fix a one byte buffer overread in function purple_markup_linkify
	* Fix an issue were utf8 was incorrectly truncated which could lead to
	  crashes as we were potentially feeding garbage into glib/gtk.

	libgnt:
	* Fixed build against curses 6.0 with opaque structs set. (#16764 dimstar)
	  (PR #268 Daniel Kamil Kozar)
	* Fixed a crash when resizing the window. (#16680 marcus) (PR #269 Daniel Kamil Kozar)

	General:
	* Fixed bashism in autotools. (#16836 lameventanas) (PR #267 Daniel Kamil Kozar)

	XMPP:
	* Show XEP-0066 OOB URLs in any message, not just headlines
	* Fix a user after free (#17200 debarshiray) (PR #266 Ethan Blanton)
	* Removed pipelining from BOSH connections (#17025 PR #295 Tom Li)
	* Don't try to TLS already secured BOSH connections (#17270 PR #293 Tom Li)

	IRC:
	* Fix "Registration timeout" on SASL auth with InspIRCd servers
	  (and possibly others not based on charybdis/ratbox/ircd-seven)
	* Fix issues with plugins that modify outgoing messages
	  (such as the custom PART/QUIT feature of the IRC More plugin)
	* Fix IRC buffer handling.  (#12562 PR #272 Shivaram Lingamneni)
	* Properly handle AUTHENTICATE as a normal command with server prefix.
	  (PR #316 dx)
	* Fix a crash caused by a use after free of the MOTD.
	* Fix an out of bounds read in irc_nick_skip_mode.
	* Fix a write of a single byte before the start of a buffer in
	  irc_parse_ctcp.

	Pidgin:
	* Better support for dark themes. (#12572 Alyssa Rosenzweig and Gary Kramlich)
	* Fixed IPv6 links by not escaping []'s. (#16391 cyisfor) (PR #270 Daniel Kamil Kozar)
	* Only write buddy icons to the cache if they're not already cached.  (PR #276 David Woodhouse)
	* Rejoin persistent chats after reconnect.  (#15687 PR #285 Christof Meerwald)
	* Made the WIN32 Transparency plugin work on all platforms. (#3124 PR #287 Daniel Kamil Kozar)
	* Ensure search results buttons are labeled (Backport from de2d88e575ee)
	* Fix matching unicode smilies.  (#17232 gnubfx PR #262 Daniel Kamil Kozar)
	* Correctly update mute/unmute status when the remote side mutes/unmutes us. (#17273 PR #302 David Woodhouse)
	* Rework the status icon blinking to not used deprecated API.  (#17174 zelch PR #264 Daniel Kamil Kozar)
	* Don't allow adding a buddy to protocols that don't have an add_buddy callback.  (#4061 Paradox)

	Finch:
	* Fix handling of search results (#17238 David Woodhouse)

	Voice & Video:
	* Port backend-fs to newer api for farstream relay-info property  (#17274 bellet)
Comment 1 Shlomi Fish 2018-05-22 12:37:41 CEST 
Assigning to QA - I submitted a package with %mkrel 1.

Assignee: shlomif => qa-bugs

Comment 2 David Walser 2018-05-24 15:12:39 CEST 
Thanks!

Advisory:
----------------------------------------

The pidgin package has been updated to version 2.13.0, which fixes several bugs.
See the upstream ChangeLog for details.

References:
https://bitbucket.org/pidgin/www/src/tip/htdocs/ChangeLog
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
pidgin-2.13.0-1.mga6
pidgin-plugins-2.13.0-1.mga6
pidgin-perl-2.13.0-1.mga6
pidgin-tcl-2.13.0-1.mga6
pidgin-silc-2.13.0-1.mga6
libpurple-devel-2.13.0-1.mga6
libpurple0-2.13.0-1.mga6
libfinch0-2.13.0-1.mga6
finch-2.13.0-1.mga6
pidgin-bonjour-2.13.0-1.mga6
pidgin-meanwhile-2.13.0-1.mga6
pidgin-client-2.13.0-1.mga6
pidgin-i18n-2.13.0-1.mga6

from pidgin-2.13.0-1.mga6.src.rpm
Comment 3 Thomas Andrews 2018-05-29 15:18:33 CEST 
The only thing I've used Pidgin for in years is to log into Facebook chat. Installed this version, and it seems to work OK for that, at least. It really should have tests of other functions, too.

CC: (none) => andrewsfarm

Comment 4 Thomas Andrews 2018-05-31 14:57:31 CEST 
As this has been here for almost 10 days with no response other than mine, and since it appeared to work for me without any issues, I am giving this an OK and validating it.

Suggested advisory in Comment 2.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-06-03 12:35:40 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2018-06-03 13:03:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2018-0105.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.