[Pidgin] #15281: Gtk libraries dangerously out of date?

Pidgin trac at pidgin.im
Thu Aug 23 00:14:35 EDT 2012 

#15281: Gtk libraries dangerously out of date?
-----------------------------+----------------------------------------------
 Reporter:  ioerror          |     Owner:  datallah
     Type:  defect           |    Status:  new     
Component:  winpidgin (gtk)  |   Version:  2.10.6  
 Keywords:  security         |  
-----------------------------+----------------------------------------------
 I installed pidgin 2.10.6 today and downloaded GTK during the install
 process as mentioned in #15277.

 It appears that the libraries in that GTK package are dangerously out of
 date:
 {{{
 -rw-r--r-- 1 nobody nogroup  535264 2010-02-05 13:03 freetype6.dll
 -rw-r--r-- 1 nobody nogroup   25294 2010-02-07 12:30 gdk-pixbuf-query-
 loaders.exe
 -rw-r--r-- 1 nobody nogroup   24264 2009-09-02 13:13 gspawn-win32-helper-
 console.exe
 -rw-r--r-- 1 nobody nogroup   25718 2009-09-02 13:13 gspawn-
 win32-helper.exe
 -rw-r--r-- 1 nobody nogroup   26251 2010-02-07 12:35 gtk-query-
 immodules-2.0.exe
 -rw-r--r-- 1 nobody nogroup  104861 2008-01-24 14:54 intl.dll
 -rw-r--r-- 1 nobody nogroup  150664 2009-06-01 02:07 libatk-1.0-0.dll
 -rw-r--r-- 1 nobody nogroup  904525 2010-02-20 04:12 libcairo-2.dll
 -rw-r--r-- 1 nobody nogroup  143096 2009-01-31 13:42 libexpat-1.dll
 -rw-r--r-- 1 nobody nogroup  279059 2010-02-05 12:55 libfontconfig-1.dll
 -rw-r--r-- 1 nobody nogroup   53043 2010-02-07 12:37 libgailutil-18.dll
 -rw-r--r-- 1 nobody nogroup  252150 2010-02-07 12:30
 libgdk_pixbuf-2.0-0.dll
 -rw-r--r-- 1 nobody nogroup  827670 2010-02-07 12:31 libgdk-
 win32-2.0-0.dll
 -rw-r--r-- 1 nobody nogroup  482872 2009-09-02 13:14 libgio-2.0-0.dll
 -rw-r--r-- 1 nobody nogroup 1100888 2009-09-02 13:13 libglib-2.0-0.dll
 -rw-r--r-- 1 nobody nogroup   31692 2009-09-02 13:13 libgmodule-2.0-0.dll
 -rw-r--r-- 1 nobody nogroup  314501 2009-09-02 13:13 libgobject-2.0-0.dll
 -rw-r--r-- 1 nobody nogroup   40146 2009-09-02 13:13 libgthread-2.0-0.dll
 -rw-r--r-- 1 nobody nogroup 4740156 2010-02-07 12:35 libgtk-
 win32-2.0-0.dll
 -rw-r--r-- 1 nobody nogroup  337702 2010-02-07 23:27 libpango-1.0-0.dll
 -rw-r--r-- 1 nobody nogroup   95189 2010-02-07 23:27
 libpangocairo-1.0-0.dll
 -rw-r--r-- 1 nobody nogroup  686030 2010-02-07 23:27 libpangoft2-1.0-0.dll
 -rw-r--r-- 1 nobody nogroup  102774 2010-02-07 23:27
 libpangowin32-1.0-0.dll
 -rw-r--r-- 1 nobody nogroup  219305 2010-01-12 06:05 libpng14-14.dll
 -rw-r--r-- 1 nobody nogroup   27101 2010-02-07 23:27 pango-
 querymodules.exe
 -rw-r--r-- 1 nobody nogroup   55808 2004-10-04 17:08 zlib1.dll
 }}}

 The manifest folder shows the following:
 {{{
 -rw-r--r-- 1 nobody nogroup 3347 2009-06-01 02:07 atk_1.26.0-1_win32.mft
 -rw-r--r-- 1 nobody nogroup  187 2010-02-20 04:13 cairo_1.8.10-1_win32.mft
 -rw-r--r-- 1 nobody nogroup   52 2009-01-31 13:42 expat_2.0.1-1_win32.mft
 -rw-r--r-- 1 nobody nogroup   83 2010-02-05 12:56
 fontconfig_2.8.0-2_win32.mft
 -rw-r--r-- 1 nobody nogroup   55 2010-02-05 13:04
 freetype_2.3.11-2_win32.mft
 -rw-r--r-- 1 nobody nogroup   67 2008-01-24 15:12 gettext-
 runtime-0.17-1.mft
 -rw-r--r-- 1 nobody nogroup 3659 2009-09-02 13:15 glib_2.20.5-1_win32.mft
 -rw-r--r-- 1 nobody nogroup 3636 2010-01-07 00:02 glib_2.22.4-1_win32.mft
 -rw-r--r-- 1 nobody nogroup 9293 2010-02-07 12:40 gtk+_2.16.6-2_win32.mft
 -rw-r--r-- 1 nobody nogroup   54 2010-01-12 06:05 libpng_1.4.0-1_win32.mft
 -rw-r--r-- 1 nobody nogroup  221 2010-02-07 23:28 pango_1.26.2-1_win32.mft
 }}}

 If those dates and versions are correct... It's really time to update the
 GTK dependencies or Windows users are remotely exploitable.

 At the very least these are exploitable/known buggy:

 FreeType 2.3.11 - the latest 2.3.x is 2.3.12 - the current stable version
 is 2.4.10

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1133

 expat 2.0.1 - the current stable version is 2.1.0

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0876

 libpng 1.4.0 - the current stable version is 1.5.12

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3425
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3048
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2690

 zlib 1.2.2 - the current stable is 1.2.7

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849

 I didn't look at everything but I'd guess that every single library has a
 similar story. :(

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15281>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list