Ubuntu
pidgin package

Backport security fixes from Pidgin 2.10.1 and 2.10.2

Bug #958208 reported by Display Name
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)
Fix Released
Low
Unassigned
Lucid
Fix Released
Low
Unassigned
Maverick
Won't Fix
Low
Unassigned
Natty
Fix Released
Low
Unassigned
Oneiric
Fix Released
Low
Unassigned
Precise
Fix Released
Low
Unassigned

Bug Description

Pidgin upstream versions 2.10.1 and 2.10.2 contain security fixes which seem to have not been backported yet to the local Ubuntu package.

Display Name (user340562791542-deactivatedaccount)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. These upstream releases correspond to the following CVEs: CVE-2011-3594 CVE-2011-4601 CVE-2011-4602 CVE-2011-4603 CVE-2011-4939 CVE-2012-1178. All are fixed in our development release. CVE-2011-3594 is fixed in all releases. The others have been assessed with a 'Low' priority and will be fixed in a future pidgin update.

Changed in pidgin (Ubuntu Precise):
status: New → Triaged
Changed in pidgin (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Low
Changed in pidgin (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → Low
Changed in pidgin (Ubuntu Natty):
status: New → Triaged
importance: Undecided → Low
Changed in pidgin (Ubuntu Oneiric):
status: New → Triaged
importance: Undecided → Low
Changed in pidgin (Ubuntu Precise):
importance: Undecided → Low
status: Triaged → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in pidgin (Ubuntu Maverick):
status: Triaged → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.7.11-1ubuntu2.2

---------------
pidgin (1:2.7.11-1ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: Remote denial of service via specially crafted AIM or ICQ
    messages (LP: #958208)
    - debian/patches/CVE-2011-4601.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4601
  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP voice
    and video chat requests (LP: #958208)
    - debian/patches/CVE-2011-4602.patch: Validate fields in incoming voice
      and video chat requests. Based on upstream patch.
    - CVE-2011-4602
  * SECURITY UPDATE: Remote denial of service via specially crafted SILC
    messages (LP: #958208)
    - debian/patches/CVE-2011-4603.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4603
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    offline messages (LP: #958208)
    - debian/patches/CVE-2012-1178.patch: Convert incoming offline messages to
      UTF-8 if they are not already UTF-8. Based on upstream patch.
    - CVE-2012-1178
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    messages (LP: #996691)
    - debian/patches/CVE-2012-2318.patch: Convert incoming messages to UTF-8,
      then validate the messages. Based on upstream patch.
    - CVE-2012-2318
  * SECURITY UPDATE: Remote denial of service via specially crafted MXit
    messages (LP: #1022012)
    - debian/patches/CVE-2012-3374.patch: Use dynamically allocated memory
      instead of a fixed size buffer. Based on upstream patch.
    - CVE-2012-3374
 -- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500

Changed in pidgin (Ubuntu Natty):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.10.0-0ubuntu2.1

---------------
pidgin (1:2.10.0-0ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Remote denial of service via specially crafted AIM or ICQ
    messages (LP: #958208)
    - debian/patches/CVE-2011-4601.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4601
  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP voice
    and video chat requests (LP: #958208)
    - debian/patches/CVE-2011-4602.patch: Validate fields in incoming voice
      and video chat requests. Based on upstream patch.
    - CVE-2011-4602
  * SECURITY UPDATE: Remote denial of service via specially crafted SILC
    messages (LP: #958208)
    - debian/patches/CVE-2011-4603.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4603
  * SECURITY UPDATE: Remote denial of service via nickname changes in XMPP
    chat rooms (LP: #958208)
    - debian/patches/CVE-2011-4939.patch: Ensure pointer is non-NULL prior to
      dereferencing it. Based on upstream patch.
    - CVE-2011-4939
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    offline messages (LP: #958208)
    - debian/patches/CVE-2012-1178.patch: Convert incoming offline messages to
      UTF-8 if they are not already UTF-8. Based on upstream patch.
    - CVE-2012-1178
  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP file
    transfer requests (LP: #996691)
    - debian/patches/CVE-2012-2214.patch: Properly tear down SOCKS5
      connection attempts. Based on upstream patch.
    - CVE-2012-2214
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    messages (LP: #996691)
    - debian/patches/CVE-2012-2318.patch: Convert incoming messages to UTF-8,
      then validate the messages. Based on upstream patch.
    - CVE-2012-2318
  * SECURITY UPDATE: Remote denial of service via specially crafted MXit
    messages (LP: #1022012)
    - debian/patches/CVE-2012-3374.patch: Use dynamically allocated memory
      instead of a fixed size buffer. Based on upstream patch.
    - CVE-2012-3374
 -- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500

Changed in pidgin (Ubuntu Oneiric):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.6.6-1ubuntu4.5

---------------
pidgin (1:2.6.6-1ubuntu4.5) lucid-security; urgency=low

  * SECURITY UPDATE: Remote denial of service via specially crafted AIM or ICQ
    messages (LP: #958208)
    - debian/patches/98_CVE-2011-4601.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4601
  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP voice
    and video chat requests (LP: #958208)
    - debian/patches/98_CVE-2011-4602.patch: Validate fields in incoming voice
      and video chat requests. Based on upstream patch.
    - CVE-2011-4602
  * SECURITY UPDATE: Remote denial of service via specially crafted SILC
    messages (LP: #958208)
    - debian/patches/98_CVE-2011-4603.patch: Validate incoming messages to
      enforce proper UTF-8 encoding. Based on upstream patch.
    - CVE-2011-4603
  * SECURITY UPDATE: Information disclosure
    - debian/patches/98_CVE-2011-4922.patch: Properly clear memory regions
      when freeing memory containing security-sensitive data. Based on
      upstream patch.
    - CVE-2011-4922
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    offline messages (LP: #958208)
    - debian/patches/98_CVE-2012-1178.patch: Convert incoming offline messages
      to UTF-8 if they are not already UTF-8. Based on upstream patch.
    - CVE-2012-1178
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    messages (LP: #996691)
    - debian/patches/98_CVE-2012-2318.patch: Convert incoming messages to UTF-8,
      then validate the messages. Based on upstream patch.
    - CVE-2012-2318
  * SECURITY UPDATE: Remote denial of service via specially crafted MXit
    messages (LP: #1022012)
    - debian/patches/98_CVE-2012-3374.patch: Use dynamically allocated memory
      instead of a fixed size buffer. Based on upstream patch.
    - CVE-2012-3374
 -- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500

Changed in pidgin (Ubuntu Lucid):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.