Debian Bug report logs -
#680661
pidgin: CVE-2012-3374: Buffer overflow in markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.5
Reported by: Henri Salo <henri@nerv.fi>
Date: Sat, 7 Jul 2012 20:27:04 UTC
Severity: important
Tags: confirmed, fixed-upstream, security
Found in versions pidgin/2.7.3-1+squeeze2, pidgin/2.10.4-1.1
Fixed in versions pidgin/2.10.6-1, 2.7.3-1+squeeze3
Done: Ari Pollak <ari@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#680661; Package pidgin.
(Sat, 07 Jul 2012 20:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Ari Pollak <ari@debian.org>.
(Sat, 07 Jul 2012 20:27:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: pidgin
Version: 2.7.3-1+squeeze2
Severity: important
Tags: security, confirmed, fixed-upstream
Pidgin 2.7.3-1+squeeze1 (at least) is affected by security vulnerability, which allows remote attackers to execute arbitrary code via a crafted inline image in a message.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3374
Pidgin security advisory: http://www.pidgin.im/news/security/index.php?id=64
Changes: http://hg.pidgin.im/pidgin/main/rev/ded93865ef42
This should be fixed as soon as possible.
- Henri Salo
-- System Information:
Debian Release: 6.0.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.4.1 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pidgin depends on:
ii gconf2 2.28.1-6 GNOME configuration database syste
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-6 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.24-4+squeeze1 simple interprocess messaging syst
ii libdbus-glib-1-2 0.88-2.1 simple interprocess messaging syst
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.4.2-2.1+squeeze4 FreeType 2 font engine, shared lib
ii libglib2.0-0 2.24.2-1 The GLib library of C routines
ii libgstreamer0.10-0 0.10.30-1 Core GStreamer libraries and eleme
ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface
pn libgtkspell0 <none> (no description available)
ii libice6 2:1.0.6-2 X11 Inter-Client Exchange library
ii libpango1.0-0 1.28.3-1+squeeze2 Layout and rendering of internatio
pn libpurple0 <none> (no description available)
ii libsm6 2:1.1.1-1 X11 Session Management library
ii libstartup-notific 0.10-1 library for program launch feedbac
ii libx11-6 2:1.3.3-4 X11 client-side library
ii libxml2 2.7.8.dfsg-2+squeeze4 GNOME XML library
ii libxss1 1:1.2.0-2 X11 Screen Saver extension library
ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction
ii perl-base [perlapi 5.10.1-17squeeze3 minimal Perl system
pn pidgin-data <none> (no description available)
Versions of packages pidgin recommends:
ii gstreamer0.10-plugins-base 0.10.30-1 GStreamer plugins from the "base"
ii gstreamer0.10-plugins-good 0.10.24-1 GStreamer plugins from the "good"
Versions of packages pidgin suggests:
pn evolution-data-server <none> (no description available)
pn gnome-panel | kdebase-workspa <none> (no description available)
ii libsqlite3-0 3.7.3-1 SQLite 3 shared library
Marked as fixed in versions pidgin/2.10.6-1.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Sat, 07 Jul 2012 20:39:15 GMT) (full text, mbox, link).
Marked as found in versions pidgin/2.10.4-1.1.
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Sat, 07 Jul 2012 20:42:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#680661; Package pidgin.
(Sun, 08 Jul 2012 18:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <ari@debian.org>.
(Sun, 08 Jul 2012 18:21:04 GMT) (full text, mbox, link).
Message #14 received at 680661@bugs.debian.org (full text, mbox, reply):
DSA-2509-1 http://lists.alioth.debian.org/pipermail/secure-testing-commits/2012-July/020869.html
Reply sent
to Ari Pollak <ari@debian.org>:
You have taken responsibility.
(Sun, 08 Jul 2012 23:39:10 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer.
(Sun, 08 Jul 2012 23:39:10 GMT) (full text, mbox, link).
Message #19 received at 680661-done@bugs.debian.org (full text, mbox, reply):
Version: 2.7.3-1+squeeze3
Fixed in stable.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 06 Aug 2012 07:32:40 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:35:14 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon