Pidgin may be vulnerable to remote MSN and XMPP crashes

Bug #996691 reported by Alexander Fougner on 2012-05-08
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)
Medium
Unassigned

Bug Description

New upstream release, fixes a few security vulnerabilities.

- Fixes Possible MSN remote crash (CVE-2012-2318)
- Fixes XMPP remote crash (CVE-2012-2214)

CVE References

Alexander Fougner (fougner) wrote :

I've got a PPA where I built the latest 2.10.4.

https://launchpad.net/~fougner/+archive/test/+packages

Alexander Fougner (fougner) wrote :

Here's a debdiff for the update

Tyler Hicks (tyhicks) wrote :

Hi Alexander - Thanks for the debdiff! Unfortunately, it does not follow the security update procedures documented here:

https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation

Rather than update the Precise pidgin version to 1:2.10.4-0ubuntu1, we need to backport the two security fixes to the existing Precise pidgin source and bump the version number to 1:2.10.3-0ubuntu1.1. The relevant patches are:

http://developer.pidgin.im/viewmtn/revision/info/94cbd5a68ee237c970d8bd6d9d53106f1b9627ad
http://developer.pidgin.im/viewmtn/revision/info/d991ff6d558d185527a09eae0378edb3fc7057a5

I'm unsubscribing ubuntu-security-sponors from this bug. If you are able to provide an updated debdiff, please resubscribe ubuntu-security-sponsors and set the bug status to NEW. Otherwise, the Ubuntu Security Team will update pidgin after one of our team members has a chance to go through the appropriate update preparation.

security vulnerability: no → yes
Changed in pidgin (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
summary: - Update pidgin to 2.10.4
+ Pidgin may be vulnerable to remote MSN and XMPP crashes
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.10.3-0ubuntu1.1

---------------
pidgin (1:2.10.3-0ubuntu1.1) precise-security; urgency=low

  * SECURITY UPDATE: Remote denial of service via specially crafted XMPP file
    transfer requests (LP: #996691)
    - debian/patches/CVE-2012-2214.patch: Properly tear down SOCKS5
      connection attempts. Based on upstream patch.
    - CVE-2012-2214
  * SECURITY UPDATE: Remote denial of service via specially crafted MSN
    messages (LP: #996691)
    - debian/patches/CVE-2012-2318.patch: Convert incoming messages to UTF-8,
      then validate the messages. Based on upstream patch.
    - CVE-2012-2318
  * SECURITY UPDATE: Remote denial of service via specially crafted MXit
    messages (LP: #1022012)
    - debian/patches/CVE-2012-3374.patch: Use dynamically allocated memory
      instead of a fixed size buffer. Based on upstream patch.
    - CVE-2012-3374
 -- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500

Changed in pidgin (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers