Pidgin version less than 2.10.5 contain a security vulnerability, which will cause a buffer overflow when parsing incoming messages containing inline images (CVE-2012-3374). The packages in Mageia 2 and Mageia 1 has been updated to 2.10.5 to fix this vulnerability.
Whiteboard: (none) => MGA1TOO
CC: (none) => olivier.delauneBlocks: (none) => 6705
Tested on mga1 x86_64, seems to work as before.
CC: (none) => sander.lepikWhiteboard: MGA1TOO => MGA1TOO, MGA1-64-OK
*** Bug 6705 has been marked as a duplicate of this bug. ***
Blocks: 6705 => (none)CC: (none) => luigiwalser
References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3374 http://www.pidgin.im/news/security/?id=64 http://developer.pidgin.im/wiki/ChangeLog Packages in core/updates_testing: pidgin-2.10.5-1.mga1 pidgin-plugins-2.10.5-1.mga1 pidgin-perl-2.10.5-1.mga1 pidgin-tcl-2.10.5-1.mga1 pidgin-silc-2.10.5-1.mga1 libpurple-devel-2.10.5-1.mga1 libpurple0-2.10.5-1.mga1 libfinch0-2.10.5-1.mga1 finch-2.10.5-1.mga1 pidgin-bonjour-2.10.5-1.mga1 pidgin-meanwhile-2.10.5-1.mga1 pidgin-client-2.10.5-1.mga1 pidgin-i18n-2.10.5-1.mga1 pidgin-2.10.5-1.mga2 pidgin-plugins-2.10.5-1.mga2 pidgin-perl-2.10.5-1.mga2 pidgin-tcl-2.10.5-1.mga2 pidgin-silc-2.10.5-1.mga2 libpurple-devel-2.10.5-1.mga2 libpurple0-2.10.5-1.mga2 libfinch0-2.10.5-1.mga2 finch-2.10.5-1.mga2 pidgin-bonjour-2.10.5-1.mga2 pidgin-meanwhile-2.10.5-1.mga2 pidgin-client-2.10.5-1.mga2 pidgin-i18n-2.10.5-1.mga2 from SRPMS: pidgin-2.10.5-1.mga1.src.rpm pidgin-2.10.5-1.mga2.src.rpm
CC: (none) => shlomif
A bug snuck into 2.10.5 (see the website or ChangeLog), so 2.10.6 has been released to fix that. We should provide it.
CC: (none) => qa-bugsAssignee: qa-bugs => fundawang
Built by Funda. Thanks Funda. Packages in core/updates_testing: pidgin-2.10.6-1.mga1 pidgin-plugins-2.10.6-1.mga1 pidgin-perl-2.10.6-1.mga1 pidgin-tcl-2.10.6-1.mga1 pidgin-silc-2.10.6-1.mga1 libpurple-devel-2.10.6-1.mga1 libpurple0-2.10.6-1.mga1 libfinch0-2.10.6-1.mga1 finch-2.10.6-1.mga1 pidgin-bonjour-2.10.6-1.mga1 pidgin-meanwhile-2.10.6-1.mga1 pidgin-client-2.10.6-1.mga1 pidgin-i18n-2.10.6-1.mga1 pidgin-2.10.6-1.mga2 pidgin-plugins-2.10.6-1.mga2 pidgin-perl-2.10.6-1.mga2 pidgin-tcl-2.10.6-1.mga2 pidgin-silc-2.10.6-1.mga2 libpurple-devel-2.10.6-1.mga2 libpurple0-2.10.6-1.mga2 libfinch0-2.10.6-1.mga2 finch-2.10.6-1.mga2 pidgin-bonjour-2.10.6-1.mga2 pidgin-meanwhile-2.10.6-1.mga2 pidgin-client-2.10.6-1.mga2 pidgin-i18n-2.10.6-1.mga2 from SRPMS: pidgin-2.10.6-1.mga1.src.rpm pidgin-2.10.6-1.mga2.src.rpm
CC: qa-bugs => fundawangAssignee: fundawang => qa-bugs
Whiteboard: MGA1TOO, MGA1-64-OK => MGA1TOO
No POC, so just testing that pidgin is working. Testing complete on Mageia 1 i586.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO => MGA1TOO, MGA1-32-OK
Testing complete on Mageia 2 i586.
Whiteboard: MGA1TOO, MGA1-32-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK
Works fine on Mageia 2 x86-64. Regards, -- Shlomi Fish.
Whiteboard: MGA1TOO, MGA1-32-OK, MGA2-32-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK
Works fine on Mageia 1 x86_64. No added dependencies detected by depcheck. Update validated for both Mageia 2 and Mageia 1, see comment #5 for SRPMs. Advisory : Pidgin in versions less than 2.10.5 contains a security vulnerability, which will cause a buffer overflow when parsing incoming messages containing inline images (CVE-2012-3374). The packages in Mageia 2 and Mageia 1 have been updated to 2.10.6 to fix this vulnerability.
Keywords: (none) => validated_updateCC: (none) => stormi, sysadmin-bugsWhiteboard: MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK, MGA1-64-OK
Advisory issued by Debian on July 8: http://www.debian.org/security/2012/dsa-2509 http://lwn.net/Vulnerabilities/505986/
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0154
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED