Ubuntu
pidgin package

Pidgin may be vulnerable to remote MSN and XMPP crashes

Bug #996691 reported by Alexander Fougner
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

New upstream release, fixes a few security vulnerabilities.

- Fixes Possible MSN remote crash (CVE-2012-2318)
- Fixes XMPP remote crash (CVE-2012-2214)

CVE References

Revision history for this message
Alexander Fougner (fougner) wrote :

I've got a PPA where I built the latest 2.10.4.

https://launchpad.net/~fougner/+archive/test/+packages

Revision history for this message
Alexander Fougner (fougner) wrote :

Here's a debdiff for the update

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi Alexander - Thanks for the debdiff! Unfortunately, it does not follow the security update procedures documented here:

https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation

Rather than update the Precise pidgin version to 1:2.10.4-0ubuntu1, we need to backport the two security fixes to the existing Precise pidgin source and bump the version number to 1:2.10.3-0ubuntu1.1. The relevant patches are:

http://developer.pidgin.im/viewmtn/revision/info/94cbd5a68ee237c970d8bd6d9d53106f1b9627ad
http://developer.pidgin.im/viewmtn/revision/info/d991ff6d558d185527a09eae0378edb3fc7057a5

I'm unsubscribing ubuntu-security-sponors from this bug. If you are able to provide an updated debdiff, please resubscribe ubuntu-security-sponsors and set the bug status to NEW. Otherwise, the Ubuntu Security Team will update pidgin after one of our team members has a chance to go through the appropriate update preparation.

security vulnerability: no → yes
Changed in pidgin (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
summary: - Update pidgin to 2.10.4
+ Pidgin may be vulnerable to remote MSN and XMPP crashes
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.10.3-0ubuntu1.1

---------------
pidgin (1:2.10.3-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP file
    transfer requests (LP: #996691)
    - debian/patches/CVE-2012-2214.patch: Properly tear down SOCKS5
      connection attempts. Based on upstream patch.
    - CVE-2012-2214
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    messages (LP: #996691)
    - debian/patches/CVE-2012-2318.patch: Convert incoming messages to UTF-8,
      then validate the messages. Based on upstream patch.
    - CVE-2012-2318
  * SECURITY UPDATE: Remote denial of service via specially crafted MXit
    messages (LP: #1022012)
    - debian/patches/CVE-2012-3374.patch: Use dynamically allocated memory
      instead of a fixed size buffer. Based on upstream patch.
    - CVE-2012-3374
 -- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500

Changed in pidgin (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.