Backport security fixes from Pidgin 2.10.1 and 2.10.2

Bug #958208 reported by Renato Silva on 2012-03-17
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)
Low
Unassigned
Lucid
Low
Unassigned
Maverick
Low
Unassigned
Natty
Low
Unassigned
Oneiric
Low
Unassigned
Precise
Low
Unassigned

Bug Description

Pidgin upstream versions 2.10.1 and 2.10.2 contain security fixes which seem to have not been backported yet to the local Ubuntu package.

visibility: private → public
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. These upstream releases correspond to the following CVEs: CVE-2011-3594 CVE-2011-4601 CVE-2011-4602 CVE-2011-4603 CVE-2011-4939 CVE-2012-1178. All are fixed in our development release. CVE-2011-3594 is fixed in all releases. The others have been assessed with a 'Low' priority and will be fixed in a future pidgin update.

Changed in pidgin (Ubuntu Precise):
status: New → Triaged
Changed in pidgin (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Low
Changed in pidgin (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → Low
Changed in pidgin (Ubuntu Natty):
status: New → Triaged
importance: Undecided → Low
Changed in pidgin (Ubuntu Oneiric):
status: New → Triaged
importance: Undecided → Low
Changed in pidgin (Ubuntu Precise):
importance: Undecided → Low
status: Triaged → Fix Released
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in pidgin (Ubuntu Maverick):
status: Triaged → Won't Fix
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.7.11-1ubuntu2.2

---------------
pidgin (1:2.7.11-1ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: Remote denial of service via specially crafted AIM or ICQ
    messages (LP: #958208)
    - debian/patches/CVE-2011-4601.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4601
  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP voice
    and video chat requests (LP: #958208)
    - debian/patches/CVE-2011-4602.patch: Validate fields in incoming voice
      and video chat requests. Based on upstream patch.
    - CVE-2011-4602
  * SECURITY UPDATE: Remote denial of service via specially crafted SILC
    messages (LP: #958208)
    - debian/patches/CVE-2011-4603.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4603
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    offline messages (LP: #958208)
    - debian/patches/CVE-2012-1178.patch: Convert incoming offline messages to
      UTF-8 if they are not already UTF-8. Based on upstream patch.
    - CVE-2012-1178
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    messages (LP: #996691)
    - debian/patches/CVE-2012-2318.patch: Convert incoming messages to UTF-8,
      then validate the messages. Based on upstream patch.
    - CVE-2012-2318
  * SECURITY UPDATE: Remote denial of service via specially crafted MXit
    messages (LP: #1022012)
    - debian/patches/CVE-2012-3374.patch: Use dynamically allocated memory
      instead of a fixed size buffer. Based on upstream patch.
    - CVE-2012-3374
 -- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500

Changed in pidgin (Ubuntu Natty):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.10.0-0ubuntu2.1

---------------
pidgin (1:2.10.0-0ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Remote denial of service via specially crafted AIM or ICQ
    messages (LP: #958208)
    - debian/patches/CVE-2011-4601.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4601
  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP voice
    and video chat requests (LP: #958208)
    - debian/patches/CVE-2011-4602.patch: Validate fields in incoming voice
      and video chat requests. Based on upstream patch.
    - CVE-2011-4602
  * SECURITY UPDATE: Remote denial of service via specially crafted SILC
    messages (LP: #958208)
    - debian/patches/CVE-2011-4603.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4603
  * SECURITY UPDATE: Remote denial of service via nickname changes in XMPP
    chat rooms (LP: #958208)
    - debian/patches/CVE-2011-4939.patch: Ensure pointer is non-NULL prior to
      dereferencing it. Based on upstream patch.
    - CVE-2011-4939
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    offline messages (LP: #958208)
    - debian/patches/CVE-2012-1178.patch: Convert incoming offline messages to
      UTF-8 if they are not already UTF-8. Based on upstream patch.
    - CVE-2012-1178
  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP file
    transfer requests (LP: #996691)
    - debian/patches/CVE-2012-2214.patch: Properly tear down SOCKS5
      connection attempts. Based on upstream patch.
    - CVE-2012-2214
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    messages (LP: #996691)
    - debian/patches/CVE-2012-2318.patch: Convert incoming messages to UTF-8,
      then validate the messages. Based on upstream patch.
    - CVE-2012-2318
  * SECURITY UPDATE: Remote denial of service via specially crafted MXit
    messages (LP: #1022012)
    - debian/patches/CVE-2012-3374.patch: Use dynamically allocated memory
      instead of a fixed size buffer. Based on upstream patch.
    - CVE-2012-3374
 -- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500

Changed in pidgin (Ubuntu Oneiric):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.6.6-1ubuntu4.5

---------------
pidgin (1:2.6.6-1ubuntu4.5) lucid-security; urgency=low

  * SECURITY UPDATE: Remote denial of service via specially crafted AIM or ICQ
    messages (LP: #958208)
    - debian/patches/98_CVE-2011-4601.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4601
  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP voice
    and video chat requests (LP: #958208)
    - debian/patches/98_CVE-2011-4602.patch: Validate fields in incoming voice
      and video chat requests. Based on upstream patch.
    - CVE-2011-4602
  * SECURITY UPDATE: Remote denial of service via specially crafted SILC
    messages (LP: #958208)
    - debian/patches/98_CVE-2011-4603.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4603
  * SECURITY UPDATE: Information disclosure
    - debian/patches/98_CVE-2011-4922.patch: Properly clear memory regions
      when freeing memory containing security-sensitive data. Based on
      upstream patch.
    - CVE-2011-4922
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    offline messages (LP: #958208)
    - debian/patches/98_CVE-2012-1178.patch: Convert incoming offline messages
      to UTF-8 if they are not already UTF-8. Based on upstream patch.
    - CVE-2012-1178
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    messages (LP: #996691)
    - debian/patches/98_CVE-2012-2318.patch: Convert incoming messages to UTF-8,
      then validate the messages. Based on upstream patch.
    - CVE-2012-2318
  * SECURITY UPDATE: Remote denial of service via specially crafted MXit
    messages (LP: #1022012)
    - debian/patches/98_CVE-2012-3374.patch: Use dynamically allocated memory
      instead of a fixed size buffer. Based on upstream patch.
    - CVE-2012-3374
 -- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500

Changed in pidgin (Ubuntu Lucid):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers