/www/pidgin: 345538627e01: Updates for 2.10.8.

Mark Doliner mark at kingant.net
Tue Jan 28 10:09:52 EST 2014


Changeset: 345538627e0126dbfc764784bced3999c6a4bf2f
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2014-01-28 07:08 -0800
Branch:	 default
URL: https://hg.pidgin.im/www/pidgin/rev/345538627e01

Description:

Updates for 2.10.8.

diffstat:

 htdocs/ChangeLog               |  123 +++++++++++++++++++++++++++++
 htdocs/index.php               |    2 +-
 htdocs/news/security/index.php |  172 ++++++++++++++++++++++++++++++++++++++++-
 inc/version.inc                |    4 +-
 4 files changed, 297 insertions(+), 4 deletions(-)

diffs (truncated from 349 to 300 lines):

diff --git a/htdocs/ChangeLog b/htdocs/ChangeLog
--- a/htdocs/ChangeLog
+++ b/htdocs/ChangeLog
@@ -1,5 +1,128 @@
 Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
 
+version 2.10.8 (1/28/2014):
+	General:
+	* Python build scripts and example plugins are now compatible with
+	  Python 3. (Ashish Gupta) (#15624)
+
+	libpurple:
+	* Fix potential crash if libpurple gets an error attempting to read a
+	  reply from a STUN server. (Discovered by Coverity static analysis)
+	  (CVE-2013-6484)
+	* Fix potential crash parsing a malformed HTTP response. (Discovered by
+	  Jacob Appelbaum of the Tor Project) (CVE-2013-6479)
+	* Fix buffer overflow when parsing a malformed HTTP response with
+	  chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent)
+	  (CVE-2013-6485)
+	* Better handling of HTTP proxy responses with negative Content-Lengths.
+	  (Discovered by Matt Jones, Volvent)
+	* Fix handling of SSL certificates without subjects when using libnss.
+	* Fix handling of SSL certificates with timestamps in the distant future
+	  when using libnss. (#15586)
+	* Impose maximum download size for all HTTP fetches.
+
+	Pidgin:
+	* Fix crash displaying tooltip of long URLs. (CVE-2013-6478)
+	* Better handling of URLs longer than 1000 letters.
+	* Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)
+
+	Windows-Specific Changes:
+	* When clicking file:// links, show the file in Explorer rather than
+	  attempting to run the file. This reduces the chances of a user
+	  clicking on a link and mistakenly running a malicious file.
+	  (Originally discovered by James Burton, Insomnia Security. Rediscovered
+	  by Yves Younan of Sourcefire VRT.) (CVE-2013-6486)
+	* Fix Tcl scripts. (#15520)
+	* Fix crash-on-startup when ASLR is always on. (#15521)
+	* Updates to dependencies:
+		* NSS 3.15.4 and NSPR 4.10.2
+		* Pango 1.29.4-1daa
+			Patched for https://bugzilla.gnome.org/show_bug.cgi?id=668154
+
+	AIM:
+	* Fix untrusted certificate error.
+
+	AIM and ICQ:
+	* Fix a possible crash when receiving a malformed message in a Direct IM
+	  session.
+
+	Gadu-Gadu:
+	* Fix buffer overflow with remote code execution potential. Only
+	  triggerable by a Gadu-Gadu server or a man-in-the-middle.
+	  (Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT)
+	  (CVE-2013-6487)
+	* Disabled buddy list import/export from/to server (it didn't work
+	  anymore). Buddy list synchronization will be implemented in 3.0.0.
+	* Disabled new account registration and password change options, as it
+	  didn't work either. Account registration also caused a crash. Both
+	  functions are available using official Gadu-Gadu website.
+
+	IRC:
+	* Fix bug where a malicious server or man-in-the-middle could trigger
+	  a crash by not sending enough arguments with various messages.
+	  (Discovered by Daniel Atallah) (CVE-2014-0020)
+	* Fix bug where initial IRC status would not be set correctly.
+	* Fix bug where IRC wasn't available when libpurple was compiled with
+	  Cyrus SASL support. (#15517)
+
+	MSN:
+	* Fix NULL pointer dereference parsing headers in MSN.
+	  (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+	  University of Goettingen) (CVE-2013-6482)
+	* Fix NULL pointer dereference parsing OIM data in MSN.
+	  (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+	  University of Goettingen) (CVE-2013-6482)
+	* Fix NULL pointer dereference parsing SOAP data in MSN.
+	  (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+	  University of Goettingen) (CVE-2013-6482)
+	* Fix possible crash when sending very long messages. Not
+	  remotely-triggerable. (Discovered by Matt Jones, Volvent)
+
+	MXit:
+	* Fix buffer overflow with remote code execution potential.
+	  (Discovered by Yves Younan and Pawel Janic of Sourcefire VRT)
+	  (CVE-2013-6489)
+	* Fix sporadic crashes that can happen after user is disconnected.
+	* Fix crash when attempting to add a contact via search results.
+	* Show error message if file transfer fails.
+	* Fix compiling with InstantBird.
+	* Fix display of some custom emoticons.
+
+	SILC:
+	* Correctly set whiteboard dimensions in whiteboard sessions.
+
+	SIMPLE:
+	* Fix buffer overflow with remote code execution potential.
+	  (Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6490)
+
+	XMPP:
+	* Prevent spoofing of iq replies by verifying that the 'from' address
+	  matches the 'to' address of the iq request. (Discovered by Fabian
+	  Yamaguchi and Christian Wressnegger of the University of Goettingen,
+	  fixed by Thijs Alkemade) (CVE-2013-6483)
+	* Fix crash on some systems when receiving fake delay timestamps with
+	  extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
+	* Fix possible crash or other erratic behavior when selecting a very
+	  small file for your own buddy icon.
+	* Fix crash if the user tries to initiate a voice/video session with a
+	  resourceless JID.
+	* Fix login errors when the first two available auth mechanisms fail but
+	  a subsequent mechanism would otherwise work when using Cyrus SASL.
+	  (#15524)
+	* Fix dropping incoming stanzas on BOSH connections when we receive
+	  multiple HTTP responses at once. (Issa Gorissen) (#15684)
+
+	Yahoo!:
+	* Fix possible crashes handling incoming strings that are not UTF-8.
+	  (Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152)
+	* Fix a bug reading a peer to peer message where a remote user could
+	  trigger a crash. (CVE-2013-6481)
+
+	Plugins:
+	* Fix crash in contact availability plugin.
+	* Fix perl function Purple::Network::ip_atoi
+	* Add Unity integration plugin.
+
 version 2.10.7 (02/13/2013):
 	Alien hatchery:
 	* No changes
diff --git a/htdocs/index.php b/htdocs/index.php
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -115,7 +115,7 @@
 
 <p class="more" id="lowblurb">
 <!-- Put little news blurbs here! -->
-Pidgin 2.10.7 contains <a href="/news/security/">some security updates</a> for users of MXit, Sametime, and anyone connected to a public network (unencrypted Wi-Fi, universities, offices, etc).  It also contains updated SSL certificates to fix signin problems with MSN.  Please upgrade!
+Pidgin 2.10.8 contains <a href="/news/security/">important security updates</a> for all users.  It also fixes the untrusted SSL certificates for AIM.  Please upgrade!
 </p>
 
 </div>
diff --git a/htdocs/news/security/index.php b/htdocs/news/security/index.php
--- a/htdocs/news/security/index.php
+++ b/htdocs/news/security/index.php
@@ -723,6 +723,176 @@
 		"fixrevisions" => "ad7e7fb98db3",
 		"fixedversion" => "2.10.7",
 		"discoveredby" => "Coverity static analysis"
+	),
+	array(
+		"title"        => "Windows Pidgin crash receiving some characters",
+		"date"         => "2014-02-28",
+		"cve"          => "",
+		"description"  => "The library used to render fonts would sometimes crash when attempting to display certain Unicode characters.",
+		"fix"          => "Patch the version of Pango that we bundle with our installer to not crash when displaying these characters.",
+		"fixrevisions" => "3542f04b5e52",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Eion Robb"
+	),
+	array(
+		"title"        => "Yahoo! remote crash from incorrect character encoding",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2012-6152",
+		"description"  => "Many places in the Yahoo! protocol plugin assumed incoming strings were UTF-8 and failed to transcode from non-UTF-8 encodings.  This can lead to a crash when receiving strings that aren't UTF-8.",
+		"fix"          => "Depending on the context, either validate that a string is UTF-8 or transcode the string from the appropriate encoding to UTF-8.",
+		"fixrevisions" => "b0345c25f886",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Thijs Alkemade and Robert Vehse"
+	),
+	array(
+		"title"        => "Crash handling bad XMPP timestamp",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6477",
+		"description"  => "A remote XMPP user can trigger a crash on some systems by sending a message with a timestamp in the distant future.",
+		"fix"          => "Avoid passing negative timestamps to localtime().",
+		"fixrevisions" => "852014ae74a0",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Jaime Breva Ribes"
+	),
+	array(
+		"title"        => "Crash when hovering pointer over a long URL",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6478",
+		"description"  => "libX11 forcefully exits when Pidgin tries to create an exceptionally wide tooltip window.",
+		"fix"          => "Only display the first 200 characters of the URL in the tooltip.",
+		"fixrevisions" => "2bb66ef1475e",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "<a href=\"/pipermail/support/2013-March/012980.html\">support email #1</a>, <a href=\"/pipermail/support/2013-March/012981.html\">support email #2</a>"
+	),
+	array(
+		"title"        => "Remote crash parsing HTTP responses",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6479",
+		"description"  => "A malicious server or man-in-the-middle could send a malformed HTTP response that could lead to a crash.",
+		"fix"          => "Validate response before using it.",
+		"fixrevisions" => "cd529e1158d3",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Jacob Appelbaum of the Tor Project"
+	),
+	array(
+		"title"        => "Remote crash reading Yahoo! P2P message",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6481",
+		"description"  => "The Yahoo! protocol plugin failed to validate a length field before trying to read from a buffer, which could result in reading past the end of the buffer which could cause a crash.",
+		"fix"          => "Check that the length is within range.",
+		"fixrevisions" => "4d139ce8f7ec",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Daniel Atallah"
+	),
+	array(
+		"title"        => "NULL pointer dereference parsing headers in MSN",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6482",
+		"description"  => "A malformed Content-Length header could lead to a NULL pointer dereference.",
+		"fix"          => "Check to make sure the Content-Length header has a value.",
+		"fixrevisions" => "23cbfff68a0c",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen"
+	),
+	array(
+		"title"        => "NULL pointer dereference parsing OIM data in MSN",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6482",
+		"description"  => "A malicious server or man-in-the-middle could send us a specially-crafted XML response that results in a NULL pointer dereference.",
+		"fix"          => "Check for NULL before calling atoi().",
+		"fixrevisions" => "ef836278304b",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen"
+	),
+	array(
+		"title"        => "NULL pointer dereference parsing SOAP data in MSN",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6482",
+		"description"  => "A malicious server or man-in-the-middle could send us a specially-crafted SOAP response that results in a NULL pointer dereference.",
+		"fix"          => "Check for NULL before using values.",
+		"fixrevisions" => "68d6df7dc69c",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen"
+	),
+	array(
+		"title"        => "XMPP doesn't verify 'from' on some iq replies",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6483",
+		"description"  => "The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference.",
+		"fix"          => "Keep track of the 'to' when sending an iq stanza and make sure replies for a given stanza ID come from the same address it was sent to.",
+		"fixrevisions" => "93d4bff19574",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen"
+	),
+	array(
+		"title"        => "Crash reading response from STUN server",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6484",
+		"description"  => "Incorrect error handling when reading the response from a STUN server could lead to a crash.",
+		"fix"          => "Fix error handling.",
+		"fixrevisions" => "932b985540e9",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Coverity static analysis"
+	),
+	array(
+		"title"        => "Buffer overflow parsing chunked HTTP responses",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6485",
+		"description"  => "A malicious server or man-in-the-middle could cause a buffer overflow by sending a malformed HTTP response with chunked Transfer-Encoding with invalid chunk sizes.",
+		"fix"          => "Enforce a maximum size for chunks.",
+		"fixrevisions" => "c9e5aba2dafd",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Matt Jones, Volvent"
+	),
+	array(
+		"title"        => "Pidgin uses clickable links to untrusted executables",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6486",
+		"description"  => "If a user clicks on a file:// URI in a received IM in Windows builds of Pidgin, Pidgin attempts to execute the file. This can be dangerous if the file:// URI is a path on a network share. This was <a href=\"?id=55\">originally reported in CVE-2011-3185 in 2011</a> and we attempted to fix it then, but failed.",
+		"fix"          => "Don't attempt to execute files when the user clicks a file:// URI. Instead, open a file browser at the file's location.",
+		"fixrevisions" => "b2571530fa8b",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Originally by James Burton, Insomnia Security. Rediscovered by Yves Younan of Sourcefire VRT."
+	),
+	array(
+		"title"        => "Buffer overflow in Gadu-Gadu HTTP parsing",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6487",
+		"description"  => "A malicious server or man-in-the-middle could send a large value for Content-Length and cause an integer overflow which could lead to a buffer overflow.",
+		"fix"          => "Enforce a maximum size for content-length.",
+		"fixrevisions" => "ec15aa187aa0",
+		"fixedversion" => "2.10.8",
+		"discoveredby" => "Yves Younan and Ryan Pentney of Sourcefire VRT"
+	),
+	array(
+		"title"        => "Buffer overflow in MXit emoticon parsing",
+		"date"         => "2014-02-28",
+		"cve"          => "CVE-2013-6489",
+		"description"  => "A specially crafted emoticon value could cause an integer overflow which could lead to a buffer overflow.",
+		"fix"          => "Use an unsigned integer and enforce a maximum size.",
+		"fixrevisions" => "4c897372b5a4",
+		"fixedversion" => "2.10.8",



More information about the Commits mailing list