Bug 6709 - [Update Request] Update pidgin to fix CVE-2012-3374
: [Update Request] Update pidgin to fix CVE-2012-3374
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://cve.mitre.org/cgi-bin/cvename....
: MGA1TOO, MGA1-32-OK, MGA2-32-OK, MGA2...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-07-06 04:14 CEST by Funda Wang
Modified: 2012-07-10 02:22 CEST (History)
9 users (show)

See Also:
Source RPM: pidgin-2.10.5-1.mga
CVE:
Status comment:


Attachments

Description Funda Wang 2012-07-06 04:14:25 CEST
Pidgin version less than 2.10.5 contain a security vulnerability, which will cause a buffer overflow when parsing incoming messages containing inline images (CVE-2012-3374).

The packages in Mageia 2 and Mageia 1 has been updated to 2.10.5 to fix this vulnerability.
Comment 1 Sander Lepik 2012-07-06 09:59:39 CEST
Tested on mga1 x86_64, seems to work as before.
Comment 2 David Walser 2012-07-06 13:48:59 CEST
*** Bug 6705 has been marked as a duplicate of this bug. ***
Comment 3 David Walser 2012-07-06 13:53:23 CEST
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3374
http://www.pidgin.im/news/security/?id=64
http://developer.pidgin.im/wiki/ChangeLog

Packages in core/updates_testing:
pidgin-2.10.5-1.mga1
pidgin-plugins-2.10.5-1.mga1
pidgin-perl-2.10.5-1.mga1
pidgin-tcl-2.10.5-1.mga1
pidgin-silc-2.10.5-1.mga1
libpurple-devel-2.10.5-1.mga1
libpurple0-2.10.5-1.mga1
libfinch0-2.10.5-1.mga1
finch-2.10.5-1.mga1
pidgin-bonjour-2.10.5-1.mga1
pidgin-meanwhile-2.10.5-1.mga1
pidgin-client-2.10.5-1.mga1
pidgin-i18n-2.10.5-1.mga1
pidgin-2.10.5-1.mga2
pidgin-plugins-2.10.5-1.mga2
pidgin-perl-2.10.5-1.mga2
pidgin-tcl-2.10.5-1.mga2
pidgin-silc-2.10.5-1.mga2
libpurple-devel-2.10.5-1.mga2
libpurple0-2.10.5-1.mga2
libfinch0-2.10.5-1.mga2
finch-2.10.5-1.mga2
pidgin-bonjour-2.10.5-1.mga2
pidgin-meanwhile-2.10.5-1.mga2
pidgin-client-2.10.5-1.mga2
pidgin-i18n-2.10.5-1.mga2

from SRPMS:
pidgin-2.10.5-1.mga1.src.rpm
pidgin-2.10.5-1.mga2.src.rpm
Comment 4 David Walser 2012-07-06 22:22:09 CEST
A bug snuck into 2.10.5 (see the website or ChangeLog), so 2.10.6 has been released to fix that.  We should provide it.
Comment 5 David Walser 2012-07-07 16:19:36 CEST
Built by Funda.  Thanks Funda.

Packages in core/updates_testing:
pidgin-2.10.6-1.mga1
pidgin-plugins-2.10.6-1.mga1
pidgin-perl-2.10.6-1.mga1
pidgin-tcl-2.10.6-1.mga1
pidgin-silc-2.10.6-1.mga1
libpurple-devel-2.10.6-1.mga1
libpurple0-2.10.6-1.mga1
libfinch0-2.10.6-1.mga1
finch-2.10.6-1.mga1
pidgin-bonjour-2.10.6-1.mga1
pidgin-meanwhile-2.10.6-1.mga1
pidgin-client-2.10.6-1.mga1
pidgin-i18n-2.10.6-1.mga1
pidgin-2.10.6-1.mga2
pidgin-plugins-2.10.6-1.mga2
pidgin-perl-2.10.6-1.mga2
pidgin-tcl-2.10.6-1.mga2
pidgin-silc-2.10.6-1.mga2
libpurple-devel-2.10.6-1.mga2
libpurple0-2.10.6-1.mga2
libfinch0-2.10.6-1.mga2
finch-2.10.6-1.mga2
pidgin-bonjour-2.10.6-1.mga2
pidgin-meanwhile-2.10.6-1.mga2
pidgin-client-2.10.6-1.mga2
pidgin-i18n-2.10.6-1.mga2

from SRPMS:
pidgin-2.10.6-1.mga1.src.rpm
pidgin-2.10.6-1.mga2.src.rpm
Comment 6 Dave Hodgins 2012-07-08 03:18:25 CEST
No POC, so just testing that pidgin is working.

Testing complete on Mageia 1 i586.
Comment 7 Dave Hodgins 2012-07-08 04:22:55 CEST
Testing complete on Mageia 2 i586.
Comment 8 Shlomi Fish 2012-07-08 10:43:47 CEST
Works fine on Mageia 2 x86-64.

Regards,

-- Shlomi Fish.
Comment 9 Samuel Verschelde 2012-07-08 14:48:28 CEST
Works fine on Mageia 1 x86_64.

No added dependencies detected by depcheck.

Update validated for both Mageia 2 and Mageia 1, see comment #5 for SRPMs.

Advisory :

Pidgin in versions less than 2.10.5 contains a security vulnerability, which will
cause a buffer overflow when parsing incoming messages containing inline images
(CVE-2012-3374).

The packages in Mageia 2 and Mageia 1 have been updated to 2.10.6 to fix this
vulnerability.
Comment 10 David Walser 2012-07-09 20:23:04 CEST
Advisory issued by Debian on July 8:
http://www.debian.org/security/2012/dsa-2509
http://lwn.net/Vulnerabilities/505986/
Comment 11 Thomas Backlund 2012-07-10 02:22:18 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0154

Note You need to log in before you can comment on or make changes to this bug.