5624 – Upgrade Pidgin to 2.10.4 to fix CVE-2012-2214

Bug 5624 - Upgrade Pidgin to 2.10.4 to fix CVE-2012-2214

Summary: Upgrade Pidgin to 2.10.4 to fix CVE-2012-2214

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	1
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	Mageia 1
Assignee:	QA Team
QA Contact:

URL:	http://developer.pidgin.im/wiki/Chang...
Whiteboard:
Keywords:	validated_update

Duplicates (1):	2750 (view as bug list)
Depends on:	2750 4965
Blocks:
	Show dependency tree / graph

Reported:	2012-04-27 01:06 CEST by Frédéric "LpSolit" Buclin
Modified:	2012-06-10 04:38 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	pidgin-2.10.3-1.1.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Frédéric "LpSolit" Buclin 2012-04-27 01:06:00 CEST

See bug 4965 comment 11: the upgrade to Pidgin 2.10.2 introduced a regression where the status of MSN buddies is broken. Per http://developer.pidgin.im/wiki/ChangeLog:

"2.10.3 fixes a problem with MSN buddies appearing online when they shouldn't."

This happened to me right now where several of my contacts appeared as being still online when they were in fact offline. I had to close and reopen my MSN account to get the right status again. This is a bit annoying. Pidgin has been upgraded to 2.10.3 in Cauldron, but not in Mageia 1.

David Walser 2012-04-27 01:48:11 CEST

CC: (none) => luigiwalser, mageia

Manuel Hiebel 2012-04-27 11:42:11 CEST

Assignee: bugsquad => mageia

Comment 1 Damien Lallement 2012-04-29 19:17:35 CEST

WIP

Status: NEW => ASSIGNED

Comment 2 Damien Lallement 2012-05-02 16:00:53 CEST

Advisory
------------
This pidgin update fixes a bug with MSN buddies appearing online when they are not. I also upgrade to 2.10.3 to allow upgrade from Mandriva 2010.2.

http://developer.pidgin.im/ticket/14997
-------------

SRPM: pidgin-2.10.3-1.1.mga1.src.rpm

Please test this update request.

Assignee: mageia => qa-bugs
Source RPM: pidgin-2.10.2-1.1.mga1 => pidgin-2.10.3-1.1.mga1.src.rpm

Comment 3 David Walser 2012-05-02 17:39:27 CEST

Damien,

Please ask the sysadmins to delete the RPM you just build and resubmit it.

But first, delete the "subrel" line from the SPEC file.  The RPM you just built has a newer version than the one in Cauldron because of it.  The update for Mageia 1 should not have a subrel.

CC: (none) => qa-bugs
Assignee: qa-bugs => mageia

Comment 4 Damien Lallement 2012-05-02 17:48:24 CEST

Fixed in Cauldron. Please test this package. :-)
FYI, I'm sysadmin too.

Comment 5 David Walser 2012-05-02 17:51:20 CEST

That wasn't the "appropriate" fix, but it will do.  Assigning back to QA.

CC: qa-bugs => (none)
Assignee: mageia => qa-bugs

Comment 6 Dave Hodgins 2012-05-02 20:47:07 CEST

Testing complete on i586 for the srpm
pidgin-2.10.3-1.1.mga1.src.rpm

Tested using pidgin and finch.

CC: (none) => davidwhodgins

Comment 7 Damien Lallement 2012-05-03 13:32:21 CEST

Please stop testing as I'm backporting a fix for bug #2750.

Depends on: (none) => 2750

Damien Lallement 2012-05-03 13:32:31 CEST

Assignee: qa-bugs => mageia

Comment 8 Frédéric "LpSolit" Buclin 2012-05-07 17:48:34 CEST

Damien: Pidgin 2.10.4 has been releaed yesterday which fixes both the problem described in bug 2750 and also fixes two security bugs, see http://pidgin.im/news/security/. You could as well package 2.10.4 directly, and skip 2.10.3.

Comment 9 David Walser 2012-05-07 19:39:30 CEST

Thanks Frédéric.  Damien, please update this for Cauldron also.

Summary: Upgrade Pidgin to 2.10.3 in Mageia 1 to fix a regression introduced in 2.10.2 => Upgrade Pidgin to 2.10.4 to fix CVE-2012-2214

Comment 10 Damien Lallement 2012-05-09 14:43:37 CEST

Funda, as you played with it, I let you deal this update request.
Please, for future, tell me when working on my packages in order not to loose time on my side...

Assignee: mageia => fundawang

Comment 11 Funda Wang 2012-05-10 05:43:19 CEST

*** Bug 2750 has been marked as a duplicate of this bug. ***

CC: (none) => eeeemail

Comment 12 Funda Wang 2012-05-10 05:44:15 CEST

Packages pushed into mageia 1 core/updates_testing. Please test.

Assignee: fundawang => qa-bugs

Comment 13 David Walser 2012-05-10 15:04:12 CEST

Now there's a CVE for both security issues fixed in 2.10.4

Note to QA: this is also in updates_testing for Cauldron and needs to be tested as an update for Mageia 2 as well.

Advisory:
========================

Updated pidgin packages fix security vulnerabilities:

A series of specially crafted file transfer requests can cause clients
to reference invalid memory. The user must have accepted one of the file
transfer requests (CVE-2012-2214).

Incoming messages with certain characters or character encodings can
cause clients to crash (CVE-2012-2318).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2318
http://pidgin.im/news/security/?id=62
http://pidgin.im/news/security/?id=63
========================

Updated packages in core/updates_testing:
========================
pidgin-2.10.4-1.mga1
pidgin-plugins-2.10.4-1.mga1
pidgin-perl-2.10.4-1.mga1
pidgin-tcl-2.10.4-1.mga1
pidgin-silc-2.10.4-1.mga1
libpurple-devel-2.10.4-1.mga1
libpurple0-2.10.4-1.mga1
libfinch0-2.10.4-1.mga1
finch-2.10.4-1.mga1
pidgin-bonjour-2.10.4-1.mga1
pidgin-meanwhile-2.10.4-1.mga1
pidgin-client-2.10.4-1.mga1
pidgin-i18n-2.10.4-1.mga1
pidgin-2.10.4-1.mga2
pidgin-plugins-2.10.4-1.mga2
pidgin-perl-2.10.4-1.mga2
pidgin-tcl-2.10.4-1.mga2
pidgin-silc-2.10.4-1.mga2
libpurple-devel-2.10.4-1.mga2
libpurple0-2.10.4-1.mga2
libfinch0-2.10.4-1.mga2
finch-2.10.4-1.mga2
pidgin-bonjour-2.10.4-1.mga2
pidgin-meanwhile-2.10.4-1.mga2
pidgin-client-2.10.4-1.mga2
pidgin-i18n-2.10.4-1.mga2

from SRPMS:
pidgin-2.10.4-1.mga1.src.rpm
pidgin-2.10.4-1.mga2.src.rpm

Comment 14 claire robinson 2012-05-10 17:28:55 CEST

As discussed on IRC, QA is not responsible for testing updates in Cauldron. Until Cauldron is branched into final release, testing of updates there should be carried out in the usual manner and updates push requests posted to the dev ML as normal.

Thanks.

Comment 15 David Walser 2012-05-10 18:11:30 CEST

Thanks for the clarification Claire.

Funda and Damien, if either of you can test and confirm this is working in Cauldron, you can submit a freeze push request today or tomorrow.

Comment 16 Damien Lallement 2012-05-10 18:27:34 CEST

I asked Funda as he made this. I would never have push pidgin in testing... It's non sense as we are in freeze.

Comment 17 Damien Lallement 2012-05-10 18:28:01 CEST

But please, test it for Mageia 1. This bug is for 1, not cauldron. ;-)

Comment 18 David Walser 2012-05-10 18:39:34 CEST

Damien, we can't push an update for this in Mageia 1 if it's not in Cauldron.  Also, as Manuel just pointed out to me, final Cauldron freeze for security updates (as this is) happens after tomorrow.

Comment 19 Dave Hodgins 2012-05-10 23:13:32 CEST

(In reply to comment #18)
> Damien, we can't push an update for this in Mageia 1 if it's not in Cauldron. 
> Also, as Manuel just pointed out to me, final Cauldron freeze for security
> updates (as this is) happens after tomorrow.

As pidgin is not on on the dvd, I don't see a problem pushing
the update for Mageia 1, as long as it gets pushed to core
updates in Cauldron, as well.

Comment 20 Dave Hodgins 2012-05-10 23:17:09 CEST

Testing complete on i586 for Mageia 1, for the srpm
pidgin-2.10.4-1.mga1.src.rpm

Testing using yahoo, gmail, and a hotmail account.

Hardware: i586 => All

Comment 21 Damien Lallement 2012-05-16 13:10:07 CEST

Ping? FYI, pidgin is now 2.10.4 in Cauldron.

Comment 22 David Walser 2012-05-16 15:40:46 CEST

Tested on i586 in Comment 20, so this needs testing on x86_64 and then it can be pushed.

Comment 23 Frédéric "LpSolit" Buclin 2012-05-18 17:52:38 CEST

Works for me too on i586 with Mga 1 using MSN, XMPP, AIM and IRC.

Comment 24 Dave Hodgins 2012-05-19 09:12:14 CEST

The pidgin update still needs x86-64 testing.

Comment 25 Manuel Hiebel 2012-06-01 18:25:31 CEST

pidgin ok on x86_64

Suggested Advisory:
-------------
Updated pidgin packages fix security vulnerabilities:

A series of specially crafted file transfer requests can cause clients
to reference invalid memory. The user must have accepted one of the file
transfer requests (CVE-2012-2214).

Incoming messages with certain characters or character encodings can
cause clients to crash (CVE-2012-2318).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2318
http://pidgin.im/news/security/?id=62
http://pidgin.im/news/security/?id=63

https://bugs.mageia.org/show_bug.cgi?id=5624
-------------

SRPM: pidgin-2.10.4-1.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 26 Thomas Backlund 2012-06-10 04:38:53 CEST

Update pushed.
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0109

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.