Pidgin versions affected by CVE-2012-2214

Tyler Hicks tyhicks at canonical.com
Fri Jun 22 14:56:01 EDT 2012


Hello Pidgin Security and Paul! I'm on the Ubuntu Security Team and I'm
currently in the process of backporting Pidgin CVE fixes to our stable
releases.

I've completed all backports except for the fix for CVE-2012-2214
(http://www.pidgin.im/news/security/?id=62). I'm trying to determine if
our older releases are affected. Ubuntu 10.04 LTS (Lucid) and 11.04
(Natty) are currently on Pidgin versions 2.6.6-1ubuntu4.4 and
2.7.11-1ubuntu2.1, respectively.

The libpurple/proxy.c code has picked up a few features (Tor proxy
type, DNS API changes, per-account proxies) between those older Pidgin
versions and 2.10.4.

Do you know if the vulnerability was introduced after versions 2.6.6 and
2.7.11, or does the vulnerability predate those versions? Any help that
you could provide would be much appreciated!

Thanks,
Tyler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120622/d1001a7f/attachment.pgp>


More information about the security mailing list