Upcoming Pidgin security disclosures and 2.10.1
Mark Doliner
mark at kingant.net
Tue Dec 6 04:57:33 EST 2011
Hi packagers of Pidgin! Please don't disclose the following
information to the public until after the embargo date!
We've been made aware of 3 remote-crash bugs in Pidgin for which we'll
be releasing version 2.10.1.
1. Remote crash in XMPP handling incoming malformed jingle stanzas.
This issue is not yet public. Thijs Alkemade discovered it and
notified us privately on October 23. Josh, Jan, and Tomas of Red Hat:
Would one of you be able to issue a CVE for this issue? A patch can
be downloaded from
http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/fix_jabber_crash.diff
2. Remote crash in oscar when handling incoming buddy list-related
SNACs. Evgeny Boger discovered this and unfortunately notified us via
our public bug tracker (http://developer.pidgin.im/ticket/14682), so
the issue is considered public. I do not believe a CVE exists for
this yet. I'll request a CVE from the oss-security at lists.openwall.com
mailing list closer to the embargo date. A patch can be downloaded
from http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/fix_oscar_crash.diff
3. Remote crash in SILC when handling incoming messages. This is the
same issue Ethan emailed this list about on September 29th (yes, we're
just now doing a Pidgin release to fix it). Diego Bauche Madero from
IOActive discovered this and notified us via our public bug tracker
(http://developer.pidgin.im/ticket/14636). Ethan has already obtained
CVE-2011-3594. Ethan included a partial patch in his previous email.
A more complete patch can be downloaded from
http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/fix_silc_crash_CVE-2011-3594.diff
Lastly, we're planning to release 2.10.1 and disclose this information
to the public on Saturday, Dec 10 at noon PST (20:00 UTC). We have
tagged 2.10.1 and built tarballs. If you'd like to get a head start
on your packaging, you can download them from
http://www.pidgin.im/~markdoliner/3fK87mgWR53g45p/
Once again, the above information is private until after the embargo
date! Please do not release this information publicly, or any of
these URLs, or any of the files from those URLs, until after the
embargo date! That includes not entering this information into public
public trackers or checking these files into public
archives/repositories.
Thanks,
Mark
More information about the Packagers
mailing list