Upcoming Pidgin 2.10.10
Mark Doliner
mark at kingant.net
Wed Oct 22 10:33:38 EDT 2014
We released Pidgin 2.10.10 and this information is all public now.
Changes: https://developer.pidgin.im/wiki/ChangeLog
Files: https://sourceforge.net/projects/pidgin/files/Pidgin/2.10.10/
On Thu, Oct 16, 2014 at 5:34 PM, Mark Doliner <mark at kingant.net> wrote:
> *** The contents of this email are sensitive! Please do not share
> publicly or release updated packages or share these patches until
> after the embargo date -- Wednesday 2014-10-22 at 07:00 PDT, 10:00
> EDT, 14:00 UTC ***
>
> Hello Pidgin packagers!
>
> We the Pidgin team are disclosing 5 security vulnerabilities in Pidgin
> and libpurple. We're releasing Pidgin 2.10.10 on Wednesday of next
> week with fixes. These issues were reported to us privately and as far
> as we know are still private.
>
> You can find patches and 2.10.10 tar balls at:
> https://pidgin.im/~markdoliner/pidgin-2.10.10-AJk9wg5WKFLjqa25Jwxdf34k90dmwn/
>
> The tarballs are signed with my new PGP key, key ID A40AB77B. Also, I
> suspect you'll need to do a little manual work to apply some of the
> patches to older versions of Pidgin--sorry. Hopefully they're
> straightforward enough that you can apply them by hand if you need to.
>
> Please let me know if you have any questions.
> Thanks,
> Mark
>
> -----
>
> CVE-2014-3694, discovered by an anonymous person and Jacob Appelbaum
> of the Tor Project, with thanks to Moxie Marlinspike for first
> publishing about this type of vulnerability
> Insufficient SSL certificate validation
>
> Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one
> for NSS) failed to check that the Basic Constraints extension allowed
> intermediate certificates to act as CAs. This allowed anyone with any
> valid certificate to create a fake certificate for any arbitrary
> domain and Pidgin would trust it.
>
> -----
>
> CVE-2014-3695, discovered by Yves Younan and Richard Johnson of Cisco Talos
> A malicious server or man-in-the-middle could trigger a crash in
> libpurple by sending an emoticon with an overly large length value.
>
> -----
>
> CVE-2014-3696, discovered by Yves Younan and Richard Johnson of Cisco Talos
> A malicious server or man-in-the-middle could trigger a crash in
> libpurple by specifying that a large amount of memory should be
> allocated in many places in the UI.
>
> -----
>
> CVE-2014-3697, discovered by Yves Younan of Cisco Talos
> A bug in the untar code on Windows could allow a malicious smiley
> theme to place a file anywhere on the file system, or alter an
> existing file when installing a smiley theme via drag and drop on
> Windows.
>
> -----
>
> CVE-2014-3698, discovered by Thijs Alkemade and Paul Aurich
> A malicious server and possibly even a malicious remote user could
> create a carefully crafted XMPP message that causes libpurple to send
> an XMPP message containing arbitrary memory.
>
> -----
>
> *** The contents of this email are sensitive! Please do not share
> publicly or release updated packages or share these patches until
> after the embargo date -- Wednesday 2014-10-22 at 07:00 PDT, 10:00
> EDT, 14:00 UTC ***
More information about the Packagers
mailing list