This issue is a denial of service / crashing issue in the MSN plugin. Info is here: http://pidgin.im/news/security/?id=61 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1178
CC: (none) => mageia
Assignee: bugsquad => mageia
Advisory: This update of pidgin fix CVE-2012-1178 to prevent possible MSN remote crash because of bad encoded text received. Packages: - pidgin-2.10.1-1.1.mga1 - pidgin-plugins-2.10.1-1.1.mga1 - pidgin-perl-2.10.1-1.1.mga1 - pidgin-tcl-2.10.1-1.1.mga1 - pidgin-silc-2.10.1-1.1.mga1 - lib64purple-devel-2.10.1-1.1.mga1 - lib64purple0-2.10.1-1.1.mga1 - lib64finch0-2.10.1-1.1.mga1 - finch-2.10.1-1.1.mga1 - pidgin-bonjour-2.10.1-1.1.mga1 - pidgin-meanwhile-2.10.1-1.1.mga1 - pidgin-client-2.10.1-1.1.mga1 - pidgin-i18n-2.10.1-1.1.mga1 - pidgin-debug-2.10.1-1.1.mga1
Status: NEW => ASSIGNEDAssignee: mageia => qa-bugs
Hardware: i586 => All
Testing complete on i586 for the srpm pidgin-2.10.1-1.1.mga1.src.rpm Just testing that pidgin is working with my Yahoo, hotmail, and gmail accounts. Same with finch.
CC: (none) => davidwhodgins
Just for reference, Mandriva says there's another CVE also fixed in this version: CVE-2011-4939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4939 http://pidgin.im/news/security/?id=60 http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:029
(In reply to comment #3) > Just for reference, Mandriva says there's another CVE also fixed in this > version It's not just Mandriva who says this. :) Simply look at this list, and check the Fixed In column: http://pidgin.im/news/security/
It was for CVE-2012-1178, not CVE-2011-4939. My bad... As Mandriva having pidgin 2.10.2 in testing, I will change the update request for 2.10.2 (instead of 2.10.1 + patch). I will reassign to QA when available.
Assignee: qa-bugs => mageia
pidgin-2.10.2-1.1.mga1.src.rpm now available in core/updates_testing.
Assignee: mageia => qa-bugs
Advisory: This update of pidgin fix CVE-2012-1178 and CVE-2011-4939. It also upgrade to 2.10.2 to allow upgrade from Mandriva 2010.2.
Summary: pidgin new security issue CVE-2012-1178 => pidgin new security issues: CVE-2012-1178 and CVE-2011-4939
Tested on x86_64, seems to work as before.
CC: (none) => sander.lepik
Tested OK i586. No PoC's. Validating Advisory ------------ This update to pidgin fixes two vulnerabilities. It also upgrades to 2.10.2 to allow upgrade from Mandriva 2010.2. CVE-2012-1178 - The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding. CVE-2011-4939 - The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1178 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4939 ------------- SRPM: pidgin-2.10.2-1.1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed.
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
Note that 2.10.2 broke the status of MSN buddies, see http://developer.pidgin.im/wiki/ChangeLog "2.10.3 fixes a problem with MSN buddies appearing online when they shouldn't." This is a regression in 2.10.2, so people upgrading to this version will be affected by this bug.
(In reply to comment #11) > Note that 2.10.2 broke the status of MSN buddies, see > http://developer.pidgin.im/wiki/ChangeLog > > "2.10.3 fixes a problem with MSN buddies appearing online when they shouldn't." > > This is a regression in 2.10.2, so people upgrading to this version will be > affected by this bug. Could you open a new bug report for this?
Blocks: (none) => 5624