[Pidgin] #15285: libxml2 library out of date

Pidgin trac at pidgin.im
Sat Aug 25 20:36:59 EDT 2012 

#15285: libxml2 library out of date
-----------------------------+----------------------------------------------
 Reporter:  ioerror          |     Owner:  datallah
     Type:  defect           |    Status:  new     
Component:  winpidgin (gtk)  |   Version:  2.10.6  
 Keywords:  security         |  
-----------------------------+----------------------------------------------
 It appears that the pidgin libxml2 library shipped with the Windows
 release is old and vulnerable:
 {{{
 % objdump -d -p libxml2-2.dll|head

 libxml2-2.dll:     file format pei-i386

 Characteristics 0x2106
         executable
         line numbers stripped
         32 bit words
         DLL

 Time/Date               Mon Sep 14 09:05:21 2009
 }}}

 I noticed that the Windows Build (
 http://developer.pidgin.im/wiki/BuildingWinPidgin ) page suggests the
 following:
 {{{
 Libxml2
 Download libxml2-dev_2.7.4-1_win32.zip and libxml2_2.7.4-1_win32.zip.
 Extract both to $PIDGIN_DEV_ROOT/win32-dev/libxml2-2.7.4 (you'll need to
 create this directory).
 }}}

 That isn't the correct version used in builds nor the most recent version
 of libxml2.

 When I look at the GTK website where those files live, I don't see a
 libxml2 build produced after 07-Apr-2010. It appears that the hash of the
 libxml2 shipped with pidgin is:
 {{{
 % sha1sum libxml2-2.dll
 6f3b13168336aa531e019b7dd237ed51c2992511  libxml2-2.dll
 }}}

 That appears to be the same as the file available (
 http://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/libxml2_2.7.4-1_win32.zip
 ) from gnome as libxml2_2.7.4-1_win32.zip:
 {{{
 unzip libxml2_2.7.4-1_win32.zip
 Archive:  libxml2_2.7.4-1_win32.zip
   inflating: bin/libxml2-2.dll
   inflating: manifest/libxml2_2.7.4-1_win32.mft
 % sha1sum bin/libxml2-2.dll
 6f3b13168336aa531e019b7dd237ed51c2992511  bin/libxml2-2.dll
 }}}

 So GTK's website actually has a newer, but still vulnerable libxml2-2.dll
 library and appears to pidgin ship one built on 14-Sep-2009. It appears
 that CVE-2010-4008 applies to this library:
 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4008

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15285>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list