*** The contents of this email are sensitive! Please do not share publicly until after the embargo date -- Wednesday 2013-02-13 at 07:00 PST, 10:00 EST, 15:00 UTC *** Hello Pidgin packagers! I'm sorry to inform you that we're disclosing some security vulnerabilities in Pidgin and libpurple. We're releasing Pidgin 2.10.7 this Wednesday (2 and a half days from now) with fixes. These issues were all found by static code analysis and not by actual crashes. We do not have repo steps for any of them, however we DO believe they are all remotely triggerable. The vulnerabilities are: CVE-2013-0271, discovered by Chris Wysopal, Veracode. Remote MXit user could specify local file path. The MXit protocol plugin saves an image to local disk using a filename that could potentially be partially specified by the IM server or by a remote user. Information about this issue will be posted at http://pidgin.im/news/security/?id=65 after the embargo date. CVE-2013-0272, discovered by Coverity static analysis. MXit buffer overflow reading data from network. The code did not respect the size of the buffer when parsing HTTP headers, and a malicious server or man-in-the-middle could send specially crafted data that could overflow the buffer. This could lead to a crash or remote code execution. Information about this issue will be posted at http://pidgin.im/news/security/?id=66 after the embargo date. CVE-2013-0273, discovered by Coverity static analysis. Sametime crash with long user IDs. libpurple failed to null-terminate user IDs that were longer than 4096 bytes. It's plausible that a malicious server could send one of these to us, which would lead to a crash. Information about this issue will be posted at http://pidgin.im/news/security/?id=67 after the embargo date. CVE-2013-0274, discovered by Coverity static analysis. Crash when receiving a UPnP response with abnormally long values. libpurple failed to null-terminate some strings when parsing the response from a UPnP router. This could lead to a crash if a malicious user on your network responds with a specially crafted message. Information about this issue will be posted at http://pidgin.im/news/security/?id=68 after the embargo date. You can download patches and the 2.10.7 release from here: http://pidgin.im/~markdoliner/aiofFj4se2E9I/ These files are not public! Please do not distribute them to end-users until after the embargo (Wednesday 2013-02-13 at 07:00 PST, 10:00 EST, 15:00 UTC). In addition to the above, we made a change to account for a changed SSL certificate on some MSN servers. If your build of Pidgin uses your own system-wide CA certificate directory then you don't need to do anything. If your build of Pidgin installs our bundled CA certs then I blieve you'll need to patch in this change in order for users to be able to login to MSN: http://hg.pidgin.im/pidgin/main/rev/673056a91e3b Thanks, and please let me know if you have any problems or questions, Mark *** The contents of this email are sensitive! Please do not share publicly until after the embargo date -- Wednesday 2013-02-13 at 07:00 PST, 10:00 EST, 15:00 UTC ***
2.10.7 has been submitted to mga2. someone has to submit it to cauldron.
You do realize that I don't see these bugs unless you CC me, or I just happen to go looking for them? Checking that it builds now in Cauldron, then I'll request the freeze push. Thanks.
CC: (none) => luigiwalserWhiteboard: (none) => MGA2TOO
Instead there should be a new secteam@mageia.org "user" in bugzilla added. This email address points to a mailman gpg encrypted mailinglist where certain secteam members are subscribed. To me as a mageia "newbie" it's painful to reassign bugs as mageia does not seem to use a common name standard like "David Walser <dwalser@mageia.org". E-mail addresses in rpm changelogs are cloaked. Irc nicknames are cloaked, inconsistent and/or incomplete (no info attached).
Segfault reported by Simon (Bug 9075) fixed and package rebuilt. Assigning to QA. Advisory: ======================== Updated pidgin packages fix security vulnerabilities: Remote MXit user could specify local file path in Pidgin before 2.10.7. The MXit protocol plugin saves an image to local disk using a filename that could potentially be partially specified by the IM server or by a remote user (CVE-2013-0271). MXit buffer overflow reading data from network in Pidgin before 2.10.7. The code did not respect the size of the buffer when parsing HTTP headers, and a malicious server or man-in-the-middle could send specially crafted data that could overflow the buffer. This could lead to a crash or remote code execution (CVE-2013-0272). Sametime crash with long user IDs in Pidgin before 2.10.7. libpurple failed to null-terminate user IDs that were longer than 4096 bytes. It's plausible that a malicious server could send one of these to us, which would lead to a crash (CVE-2013-0273). Crash when receiving a UPnP response with abnormally long values in Pidgin before 2.10.7. libpurple failed to null-terminate some strings when parsing the response from a UPnP router. This could lead to a crash if a malicious user on your network responds with a specially crafted message (CVE-2013-0274). Pidgin has been updated to 2.10.7, which fixes these and other issues. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271 http://pidgin.im/news/security/?id=65 http://pidgin.im/news/security/?id=66 http://pidgin.im/news/security/?id=67 http://pidgin.im/news/security/?id=68 https://developer.pidgin.im/wiki/ChangeLog ======================== Updated packages in core/updates_testing: ======================== pidgin-2.10.7-1.1.mga2 pidgin-plugins-2.10.7-1.1.mga2 pidgin-perl-2.10.7-1.1.mga2 pidgin-tcl-2.10.7-1.1.mga2 pidgin-silc-2.10.7-1.1.mga2 libpurple-devel-2.10.7-1.1.mga2 libpurple0-2.10.7-1.1.mga2 libfinch0-2.10.7-1.1.mga2 finch-2.10.7-1.1.mga2 pidgin-bonjour-2.10.7-1.1.mga2 pidgin-meanwhile-2.10.7-1.1.mga2 pidgin-client-2.10.7-1.1.mga2 pidgin-i18n-2.10.7-1.1.mga2 from pidgin-2.10.7-1.1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO => (none)
Summary: Multiple vulnerabilities in pidgin (CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274) => pidgin new security issues CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274
URL: (none) => http://lwn.net/Vulnerabilities/538116/
No POC. Connected to yahoo, IRC and ICQ and facebook chat. Appicon does not show up in KDE4 task bar, but that's probably minor with the systray icon anyway. MGA2-64 OK
CC: (none) => wrw105Whiteboard: (none) => MGA2-64-OK
Testing complete mga2 32 Well done Bill, thankyou. Keep doing what you're doing :) Connected WLM & IRC Validating Advisory & srpm in comment 4 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA2-64-OK => has_procedure MGA2-64-OK mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0058
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED