Bug 6709 - [Update Request] Update pidgin to fix CVE-2012-3374
Summary: [Update Request] Update pidgin to fix CVE-2012-3374
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2...
Keywords: validated_update
: 6705 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-07-06 04:14 CEST by Funda Wang
Modified: 2012-07-10 02:22 CEST (History)
9 users (show)

See Also:
Source RPM: pidgin-2.10.5-1.mga
CVE:
Status comment:


Attachments

Description Funda Wang 2012-07-06 04:14:25 CEST
Pidgin version less than 2.10.5 contain a security vulnerability, which will cause a buffer overflow when parsing incoming messages containing inline images (CVE-2012-3374).

The packages in Mageia 2 and Mageia 1 has been updated to 2.10.5 to fix this vulnerability.
Funda Wang 2012-07-06 04:15:22 CEST

Whiteboard: (none) => MGA1TOO

Olivier Delaune 2012-07-06 06:40:10 CEST

CC: (none) => olivier.delaune
Blocks: (none) => 6705

Comment 1 Sander Lepik 2012-07-06 09:59:39 CEST
Tested on mga1 x86_64, seems to work as before.

CC: (none) => sander.lepik
Whiteboard: MGA1TOO => MGA1TOO, MGA1-64-OK

Comment 2 David Walser 2012-07-06 13:48:59 CEST
*** Bug 6705 has been marked as a duplicate of this bug. ***

Blocks: 6705 => (none)
CC: (none) => luigiwalser

Comment 3 David Walser 2012-07-06 13:53:23 CEST
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3374
http://www.pidgin.im/news/security/?id=64
http://developer.pidgin.im/wiki/ChangeLog

Packages in core/updates_testing:
pidgin-2.10.5-1.mga1
pidgin-plugins-2.10.5-1.mga1
pidgin-perl-2.10.5-1.mga1
pidgin-tcl-2.10.5-1.mga1
pidgin-silc-2.10.5-1.mga1
libpurple-devel-2.10.5-1.mga1
libpurple0-2.10.5-1.mga1
libfinch0-2.10.5-1.mga1
finch-2.10.5-1.mga1
pidgin-bonjour-2.10.5-1.mga1
pidgin-meanwhile-2.10.5-1.mga1
pidgin-client-2.10.5-1.mga1
pidgin-i18n-2.10.5-1.mga1
pidgin-2.10.5-1.mga2
pidgin-plugins-2.10.5-1.mga2
pidgin-perl-2.10.5-1.mga2
pidgin-tcl-2.10.5-1.mga2
pidgin-silc-2.10.5-1.mga2
libpurple-devel-2.10.5-1.mga2
libpurple0-2.10.5-1.mga2
libfinch0-2.10.5-1.mga2
finch-2.10.5-1.mga2
pidgin-bonjour-2.10.5-1.mga2
pidgin-meanwhile-2.10.5-1.mga2
pidgin-client-2.10.5-1.mga2
pidgin-i18n-2.10.5-1.mga2

from SRPMS:
pidgin-2.10.5-1.mga1.src.rpm
pidgin-2.10.5-1.mga2.src.rpm
David Walser 2012-07-06 22:20:26 CEST

CC: (none) => shlomif

Comment 4 David Walser 2012-07-06 22:22:09 CEST
A bug snuck into 2.10.5 (see the website or ChangeLog), so 2.10.6 has been released to fix that.  We should provide it.

CC: (none) => qa-bugs
Assignee: qa-bugs => fundawang

Comment 5 David Walser 2012-07-07 16:19:36 CEST
Built by Funda.  Thanks Funda.

Packages in core/updates_testing:
pidgin-2.10.6-1.mga1
pidgin-plugins-2.10.6-1.mga1
pidgin-perl-2.10.6-1.mga1
pidgin-tcl-2.10.6-1.mga1
pidgin-silc-2.10.6-1.mga1
libpurple-devel-2.10.6-1.mga1
libpurple0-2.10.6-1.mga1
libfinch0-2.10.6-1.mga1
finch-2.10.6-1.mga1
pidgin-bonjour-2.10.6-1.mga1
pidgin-meanwhile-2.10.6-1.mga1
pidgin-client-2.10.6-1.mga1
pidgin-i18n-2.10.6-1.mga1
pidgin-2.10.6-1.mga2
pidgin-plugins-2.10.6-1.mga2
pidgin-perl-2.10.6-1.mga2
pidgin-tcl-2.10.6-1.mga2
pidgin-silc-2.10.6-1.mga2
libpurple-devel-2.10.6-1.mga2
libpurple0-2.10.6-1.mga2
libfinch0-2.10.6-1.mga2
finch-2.10.6-1.mga2
pidgin-bonjour-2.10.6-1.mga2
pidgin-meanwhile-2.10.6-1.mga2
pidgin-client-2.10.6-1.mga2
pidgin-i18n-2.10.6-1.mga2

from SRPMS:
pidgin-2.10.6-1.mga1.src.rpm
pidgin-2.10.6-1.mga2.src.rpm

CC: qa-bugs => fundawang
Assignee: fundawang => qa-bugs

Sander Lepik 2012-07-07 16:23:22 CEST

Whiteboard: MGA1TOO, MGA1-64-OK => MGA1TOO

Comment 6 Dave Hodgins 2012-07-08 03:18:25 CEST
No POC, so just testing that pidgin is working.

Testing complete on Mageia 1 i586.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO => MGA1TOO, MGA1-32-OK

Comment 7 Dave Hodgins 2012-07-08 04:22:55 CEST
Testing complete on Mageia 2 i586.

Whiteboard: MGA1TOO, MGA1-32-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK

Comment 8 Shlomi Fish 2012-07-08 10:43:47 CEST
Works fine on Mageia 2 x86-64.

Regards,

-- Shlomi Fish.

Whiteboard: MGA1TOO, MGA1-32-OK, MGA2-32-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK

Comment 9 Samuel Verschelde 2012-07-08 14:48:28 CEST
Works fine on Mageia 1 x86_64.

No added dependencies detected by depcheck.

Update validated for both Mageia 2 and Mageia 1, see comment #5 for SRPMs.

Advisory :

Pidgin in versions less than 2.10.5 contains a security vulnerability, which will
cause a buffer overflow when parsing incoming messages containing inline images
(CVE-2012-3374).

The packages in Mageia 2 and Mageia 1 have been updated to 2.10.6 to fix this
vulnerability.

Keywords: (none) => validated_update
CC: (none) => stormi, sysadmin-bugs
Whiteboard: MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK => MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2-64-OK, MGA1-64-OK

Comment 10 David Walser 2012-07-09 20:23:04 CEST
Advisory issued by Debian on July 8:
http://www.debian.org/security/2012/dsa-2509
http://lwn.net/Vulnerabilities/505986/
Comment 11 Thomas Backlund 2012-07-10 02:22:18 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0154

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.