/www/pidgin: 345538627e01: Updates for 2.10.8.
Mark Doliner
mark at kingant.net
Tue Jan 28 10:09:52 EST 2014
Changeset: 345538627e0126dbfc764784bced3999c6a4bf2f
Author: Mark Doliner <mark at kingant.net>
Date: 2014-01-28 07:08 -0800
Branch: default
URL: https://hg.pidgin.im/www/pidgin/rev/345538627e01
Description:
Updates for 2.10.8.
diffstat:
htdocs/ChangeLog | 123 +++++++++++++++++++++++++++++
htdocs/index.php | 2 +-
htdocs/news/security/index.php | 172 ++++++++++++++++++++++++++++++++++++++++-
inc/version.inc | 4 +-
4 files changed, 297 insertions(+), 4 deletions(-)
diffs (truncated from 349 to 300 lines):
diff --git a/htdocs/ChangeLog b/htdocs/ChangeLog
--- a/htdocs/ChangeLog
+++ b/htdocs/ChangeLog
@@ -1,5 +1,128 @@
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
+version 2.10.8 (1/28/2014):
+ General:
+ * Python build scripts and example plugins are now compatible with
+ Python 3. (Ashish Gupta) (#15624)
+
+ libpurple:
+ * Fix potential crash if libpurple gets an error attempting to read a
+ reply from a STUN server. (Discovered by Coverity static analysis)
+ (CVE-2013-6484)
+ * Fix potential crash parsing a malformed HTTP response. (Discovered by
+ Jacob Appelbaum of the Tor Project) (CVE-2013-6479)
+ * Fix buffer overflow when parsing a malformed HTTP response with
+ chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent)
+ (CVE-2013-6485)
+ * Better handling of HTTP proxy responses with negative Content-Lengths.
+ (Discovered by Matt Jones, Volvent)
+ * Fix handling of SSL certificates without subjects when using libnss.
+ * Fix handling of SSL certificates with timestamps in the distant future
+ when using libnss. (#15586)
+ * Impose maximum download size for all HTTP fetches.
+
+ Pidgin:
+ * Fix crash displaying tooltip of long URLs. (CVE-2013-6478)
+ * Better handling of URLs longer than 1000 letters.
+ * Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)
+
+ Windows-Specific Changes:
+ * When clicking file:// links, show the file in Explorer rather than
+ attempting to run the file. This reduces the chances of a user
+ clicking on a link and mistakenly running a malicious file.
+ (Originally discovered by James Burton, Insomnia Security. Rediscovered
+ by Yves Younan of Sourcefire VRT.) (CVE-2013-6486)
+ * Fix Tcl scripts. (#15520)
+ * Fix crash-on-startup when ASLR is always on. (#15521)
+ * Updates to dependencies:
+ * NSS 3.15.4 and NSPR 4.10.2
+ * Pango 1.29.4-1daa
+ Patched for https://bugzilla.gnome.org/show_bug.cgi?id=668154
+
+ AIM:
+ * Fix untrusted certificate error.
+
+ AIM and ICQ:
+ * Fix a possible crash when receiving a malformed message in a Direct IM
+ session.
+
+ Gadu-Gadu:
+ * Fix buffer overflow with remote code execution potential. Only
+ triggerable by a Gadu-Gadu server or a man-in-the-middle.
+ (Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT)
+ (CVE-2013-6487)
+ * Disabled buddy list import/export from/to server (it didn't work
+ anymore). Buddy list synchronization will be implemented in 3.0.0.
+ * Disabled new account registration and password change options, as it
+ didn't work either. Account registration also caused a crash. Both
+ functions are available using official Gadu-Gadu website.
+
+ IRC:
+ * Fix bug where a malicious server or man-in-the-middle could trigger
+ a crash by not sending enough arguments with various messages.
+ (Discovered by Daniel Atallah) (CVE-2014-0020)
+ * Fix bug where initial IRC status would not be set correctly.
+ * Fix bug where IRC wasn't available when libpurple was compiled with
+ Cyrus SASL support. (#15517)
+
+ MSN:
+ * Fix NULL pointer dereference parsing headers in MSN.
+ (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+ University of Goettingen) (CVE-2013-6482)
+ * Fix NULL pointer dereference parsing OIM data in MSN.
+ (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+ University of Goettingen) (CVE-2013-6482)
+ * Fix NULL pointer dereference parsing SOAP data in MSN.
+ (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+ University of Goettingen) (CVE-2013-6482)
+ * Fix possible crash when sending very long messages. Not
+ remotely-triggerable. (Discovered by Matt Jones, Volvent)
+
+ MXit:
+ * Fix buffer overflow with remote code execution potential.
+ (Discovered by Yves Younan and Pawel Janic of Sourcefire VRT)
+ (CVE-2013-6489)
+ * Fix sporadic crashes that can happen after user is disconnected.
+ * Fix crash when attempting to add a contact via search results.
+ * Show error message if file transfer fails.
+ * Fix compiling with InstantBird.
+ * Fix display of some custom emoticons.
+
+ SILC:
+ * Correctly set whiteboard dimensions in whiteboard sessions.
+
+ SIMPLE:
+ * Fix buffer overflow with remote code execution potential.
+ (Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6490)
+
+ XMPP:
+ * Prevent spoofing of iq replies by verifying that the 'from' address
+ matches the 'to' address of the iq request. (Discovered by Fabian
+ Yamaguchi and Christian Wressnegger of the University of Goettingen,
+ fixed by Thijs Alkemade) (CVE-2013-6483)
+ * Fix crash on some systems when receiving fake delay timestamps with
+ extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
+ * Fix possible crash or other erratic behavior when selecting a very
+ small file for your own buddy icon.
+ * Fix crash if the user tries to initiate a voice/video session with a
+ resourceless JID.
+ * Fix login errors when the first two available auth mechanisms fail but
+ a subsequent mechanism would otherwise work when using Cyrus SASL.
+ (#15524)
+ * Fix dropping incoming stanzas on BOSH connections when we receive
+ multiple HTTP responses at once. (Issa Gorissen) (#15684)
+
+ Yahoo!:
+ * Fix possible crashes handling incoming strings that are not UTF-8.
+ (Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152)
+ * Fix a bug reading a peer to peer message where a remote user could
+ trigger a crash. (CVE-2013-6481)
+
+ Plugins:
+ * Fix crash in contact availability plugin.
+ * Fix perl function Purple::Network::ip_atoi
+ * Add Unity integration plugin.
+
version 2.10.7 (02/13/2013):
Alien hatchery:
* No changes
diff --git a/htdocs/index.php b/htdocs/index.php
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -115,7 +115,7 @@
<p class="more" id="lowblurb">
<!-- Put little news blurbs here! -->
-Pidgin 2.10.7 contains <a href="/news/security/">some security updates</a> for users of MXit, Sametime, and anyone connected to a public network (unencrypted Wi-Fi, universities, offices, etc). It also contains updated SSL certificates to fix signin problems with MSN. Please upgrade!
+Pidgin 2.10.8 contains <a href="/news/security/">important security updates</a> for all users. It also fixes the untrusted SSL certificates for AIM. Please upgrade!
</p>
</div>
diff --git a/htdocs/news/security/index.php b/htdocs/news/security/index.php
--- a/htdocs/news/security/index.php
+++ b/htdocs/news/security/index.php
@@ -723,6 +723,176 @@
"fixrevisions" => "ad7e7fb98db3",
"fixedversion" => "2.10.7",
"discoveredby" => "Coverity static analysis"
+ ),
+ array(
+ "title" => "Windows Pidgin crash receiving some characters",
+ "date" => "2014-02-28",
+ "cve" => "",
+ "description" => "The library used to render fonts would sometimes crash when attempting to display certain Unicode characters.",
+ "fix" => "Patch the version of Pango that we bundle with our installer to not crash when displaying these characters.",
+ "fixrevisions" => "3542f04b5e52",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Eion Robb"
+ ),
+ array(
+ "title" => "Yahoo! remote crash from incorrect character encoding",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2012-6152",
+ "description" => "Many places in the Yahoo! protocol plugin assumed incoming strings were UTF-8 and failed to transcode from non-UTF-8 encodings. This can lead to a crash when receiving strings that aren't UTF-8.",
+ "fix" => "Depending on the context, either validate that a string is UTF-8 or transcode the string from the appropriate encoding to UTF-8.",
+ "fixrevisions" => "b0345c25f886",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Thijs Alkemade and Robert Vehse"
+ ),
+ array(
+ "title" => "Crash handling bad XMPP timestamp",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6477",
+ "description" => "A remote XMPP user can trigger a crash on some systems by sending a message with a timestamp in the distant future.",
+ "fix" => "Avoid passing negative timestamps to localtime().",
+ "fixrevisions" => "852014ae74a0",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Jaime Breva Ribes"
+ ),
+ array(
+ "title" => "Crash when hovering pointer over a long URL",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6478",
+ "description" => "libX11 forcefully exits when Pidgin tries to create an exceptionally wide tooltip window.",
+ "fix" => "Only display the first 200 characters of the URL in the tooltip.",
+ "fixrevisions" => "2bb66ef1475e",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "<a href=\"/pipermail/support/2013-March/012980.html\">support email #1</a>, <a href=\"/pipermail/support/2013-March/012981.html\">support email #2</a>"
+ ),
+ array(
+ "title" => "Remote crash parsing HTTP responses",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6479",
+ "description" => "A malicious server or man-in-the-middle could send a malformed HTTP response that could lead to a crash.",
+ "fix" => "Validate response before using it.",
+ "fixrevisions" => "cd529e1158d3",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Jacob Appelbaum of the Tor Project"
+ ),
+ array(
+ "title" => "Remote crash reading Yahoo! P2P message",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6481",
+ "description" => "The Yahoo! protocol plugin failed to validate a length field before trying to read from a buffer, which could result in reading past the end of the buffer which could cause a crash.",
+ "fix" => "Check that the length is within range.",
+ "fixrevisions" => "4d139ce8f7ec",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Daniel Atallah"
+ ),
+ array(
+ "title" => "NULL pointer dereference parsing headers in MSN",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6482",
+ "description" => "A malformed Content-Length header could lead to a NULL pointer dereference.",
+ "fix" => "Check to make sure the Content-Length header has a value.",
+ "fixrevisions" => "23cbfff68a0c",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen"
+ ),
+ array(
+ "title" => "NULL pointer dereference parsing OIM data in MSN",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6482",
+ "description" => "A malicious server or man-in-the-middle could send us a specially-crafted XML response that results in a NULL pointer dereference.",
+ "fix" => "Check for NULL before calling atoi().",
+ "fixrevisions" => "ef836278304b",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen"
+ ),
+ array(
+ "title" => "NULL pointer dereference parsing SOAP data in MSN",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6482",
+ "description" => "A malicious server or man-in-the-middle could send us a specially-crafted SOAP response that results in a NULL pointer dereference.",
+ "fix" => "Check for NULL before using values.",
+ "fixrevisions" => "68d6df7dc69c",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen"
+ ),
+ array(
+ "title" => "XMPP doesn't verify 'from' on some iq replies",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6483",
+ "description" => "The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference.",
+ "fix" => "Keep track of the 'to' when sending an iq stanza and make sure replies for a given stanza ID come from the same address it was sent to.",
+ "fixrevisions" => "93d4bff19574",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen"
+ ),
+ array(
+ "title" => "Crash reading response from STUN server",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6484",
+ "description" => "Incorrect error handling when reading the response from a STUN server could lead to a crash.",
+ "fix" => "Fix error handling.",
+ "fixrevisions" => "932b985540e9",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Coverity static analysis"
+ ),
+ array(
+ "title" => "Buffer overflow parsing chunked HTTP responses",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6485",
+ "description" => "A malicious server or man-in-the-middle could cause a buffer overflow by sending a malformed HTTP response with chunked Transfer-Encoding with invalid chunk sizes.",
+ "fix" => "Enforce a maximum size for chunks.",
+ "fixrevisions" => "c9e5aba2dafd",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Matt Jones, Volvent"
+ ),
+ array(
+ "title" => "Pidgin uses clickable links to untrusted executables",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6486",
+ "description" => "If a user clicks on a file:// URI in a received IM in Windows builds of Pidgin, Pidgin attempts to execute the file. This can be dangerous if the file:// URI is a path on a network share. This was <a href=\"?id=55\">originally reported in CVE-2011-3185 in 2011</a> and we attempted to fix it then, but failed.",
+ "fix" => "Don't attempt to execute files when the user clicks a file:// URI. Instead, open a file browser at the file's location.",
+ "fixrevisions" => "b2571530fa8b",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Originally by James Burton, Insomnia Security. Rediscovered by Yves Younan of Sourcefire VRT."
+ ),
+ array(
+ "title" => "Buffer overflow in Gadu-Gadu HTTP parsing",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6487",
+ "description" => "A malicious server or man-in-the-middle could send a large value for Content-Length and cause an integer overflow which could lead to a buffer overflow.",
+ "fix" => "Enforce a maximum size for content-length.",
+ "fixrevisions" => "ec15aa187aa0",
+ "fixedversion" => "2.10.8",
+ "discoveredby" => "Yves Younan and Ryan Pentney of Sourcefire VRT"
+ ),
+ array(
+ "title" => "Buffer overflow in MXit emoticon parsing",
+ "date" => "2014-02-28",
+ "cve" => "CVE-2013-6489",
+ "description" => "A specially crafted emoticon value could cause an integer overflow which could lead to a buffer overflow.",
+ "fix" => "Use an unsigned integer and enforce a maximum size.",
+ "fixrevisions" => "4c897372b5a4",
+ "fixedversion" => "2.10.8",
More information about the Commits
mailing list