Upcoming Pidgin 2.10.10

Mark Doliner mark at kingant.net
Thu Oct 16 20:34:52 EDT 2014


*** The contents of this email are sensitive!  Please do not share
publicly or release updated packages or share these patches until
after the embargo date -- Wednesday 2014-10-22 at 07:00 PDT, 10:00
EDT, 14:00 UTC ***

Hello Pidgin packagers!

We the Pidgin team are disclosing 5 security vulnerabilities in Pidgin
and libpurple. We're releasing Pidgin 2.10.10 on Wednesday of next
week with fixes. These issues were reported to us privately and as far
as we know are still private.

You can find patches and 2.10.10 tar balls at:
https://pidgin.im/~markdoliner/pidgin-2.10.10-AJk9wg5WKFLjqa25Jwxdf34k90dmwn/

The tarballs are signed with my new PGP key, key ID A40AB77B. Also, I
suspect you'll need to do a little manual work to apply some of the
patches to older versions of Pidgin--sorry. Hopefully they're
straightforward enough that you can apply them by hand if you need to.

Please let me know if you have any questions.
Thanks,
Mark

-----

CVE-2014-3694, discovered by an anonymous person and Jacob Appelbaum
of the Tor Project, with thanks to Moxie Marlinspike for first
publishing about this type of vulnerability
Insufficient SSL certificate validation

Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one
for NSS) failed to check that the Basic Constraints extension allowed
intermediate certificates to act as CAs. This allowed anyone with any
valid certificate to create a fake certificate for any arbitrary
domain and Pidgin would trust it.

-----

CVE-2014-3695, discovered by Yves Younan and Richard Johnson of Cisco Talos
A malicious server or man-in-the-middle could trigger a crash in
libpurple by sending an emoticon with an overly large length value.

-----

CVE-2014-3696, discovered by Yves Younan and Richard Johnson of Cisco Talos
A malicious server or man-in-the-middle could trigger a crash in
libpurple by specifying that a large amount of memory should be
allocated in many places in the UI.

-----

CVE-2014-3697, discovered by Yves Younan of Cisco Talos
A bug in the untar code on Windows could allow a malicious smiley
theme to place a file anywhere on the file system, or alter an
existing file when installing a smiley theme via drag and drop on
Windows.

-----

CVE-2014-3698, discovered by Thijs Alkemade and Paul Aurich
A malicious server and possibly even a malicious remote user could
create a carefully crafted XMPP message that causes libpurple to send
an XMPP message containing arbitrary memory.

-----

*** The contents of this email are sensitive!  Please do not share
publicly or release updated packages or share these patches until
after the embargo date -- Wednesday 2014-10-22 at 07:00 PDT, 10:00
EDT, 14:00 UTC ***



More information about the Packagers mailing list