openSUSE-SU-2014:0239-1: moderate: update for pidgin, pidgin-branding-openSUSE

15 Feb 2014

      openSUSE Security Update: update for pidgin, pidgin-branding-openSUSE
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2014:0239-1
Rating:             moderate
References:         #861019 
Cross-References:   CVE-2012-6152 CVE-2013-6477 CVE-2013-6478
                    CVE-2013-6479 CVE-2013-6481 CVE-2013-6482
                    CVE-2013-6483 CVE-2013-6484 CVE-2013-6485
                    CVE-2013-6486 CVE-2013-6487 CVE-2014-0020

Affected Products:
                    openSUSE 13.1
                    openSUSE 12.3
______________________________________________________________________________

   An update that fixes 12 vulnerabilities is now available.

Description:

   - Update to version 2.10.8 (bnc#861019):
   + General: Python build scripts and example plugins are
   now compatible with Python 3 (pidgin.im#15624).
   + libpurple:
   - Fix potential crash if libpurple gets an error
   attempting to read a reply from a STUN server
   (CVE-2013-6484).
   - Fix potential crash parsing a malformed HTTP response
   (CVE-2013-6479).
   - Fix buffer overflow when parsing a malformed HTTP
   response with chunked Transfer-Encoding (CVE-2013-6485).
   - Better handling of HTTP proxy responses with negative
   Content-Lengths.
   - Fix handling of SSL certificates without subjects
   when using libnss.
   - Fix handling of SSL certificates with timestamps in
   the distant future when using libnss (pidgin.im#15586).
   - Impose maximum download size for all HTTP fetches.
   + Pidgin:
   - Fix crash displaying tooltip of long URLs
   (CVE-2013-6478).
   - Better handling of URLs longer than 1000 letters.
   - Fix handling of multibyte UTF-8 characters in smiley
   themes (pidgin.im#15756).
   + AIM: Fix untrusted certificate error.
   + AIM and ICQ: Fix a possible crash when receiving a
   malformed message in a Direct IM session.
   + Gadu-Gadu:
   - Fix buffer overflow with remote code execution
   potential. Only triggerable by a Gadu-Gadu server or a
   man-in-the-middle (CVE-2013-6487).
   - Disabled buddy list import/export from/to server.
   - Disabled new account registration and password change
   options.
   + IRC:
   - Fix bug where a malicious server or man-in-the-middle
   could trigger a crash by not sending enough arguments with
   various messages (CVE-2014-0020).
   - Fix bug where initial IRC status would not be set
   correctly.
   - Fix bug where IRC wasn't available when libpurple was
   compiled with Cyrus SASL support (pidgin.im#15517).
   + MSN:
   - Fix NULL pointer dereference parsing headers in MSN
   (CVE-2013-6482).
   - Fix NULL pointer dereference parsing OIM data in MSN
   (CVE-2013-6482).
   - Fix NULL pointer dereference parsing SOAP data in MSN
   (CVE-2013-6482).
   - Fix possible crash when sending very long messages.
   Not remotely-triggerable.
   + MXit:
   - Fix buffer overflow with remote code execution
   potential (CVE-2013-6487).
   - Fix sporadic crashes that can happen after user is
   disconnected.
   - Fix crash when attempting to add a contact via search
   results.
   - Show error message if file transfer fails.
   - Fix compiling with InstantBird.
   - Fix display of some custom emoticons.
   + SILC: Correctly set whiteboard dimensions in whiteboard
   sessions.
   + SIMPLE: Fix buffer overflow with remote code execution
   potential (CVE-2013-6487).
   + XMPP:
   - Prevent spoofing of iq replies by verifying that the
   'from' address matches the 'to' address of the iq request
   (CVE-2013-6483).
   - Fix crash on some systems when receiving fake delay
   timestamps with extreme values (CVE-2013-6477).
   - Fix possible crash or other erratic behavior when
   selecting a very small file for your own buddy icon.
   - Fix crash if the user tries to initiate a voice/video
   session with a resourceless JID.
   - Fix login errors when the first two available auth
   mechanisms fail but a subsequent mechanism would otherwise
   work when using Cyrus SASL (pidgin.im#15524).
   - Fix dropping incoming stanzas on BOSH connections
   when we receive multiple HTTP responses at once
   (pidgin.im#15684).
   + Yahoo!:
   - Fix possible crashes handling incoming strings that
   are not UTF-8 (CVE-2012-6152).
   - Fix a bug reading a peer to peer message where a
   remote user could trigger a crash (CVE-2013-6481).
   + Plugins:
   - Fix crash in contact availability plugin.
   - Fix perl function Purple::Network::ip_atoi.
   - Add Unity integration plugin.
   + Windows specific fixes: (CVE-2013-6486,
   pidgin.im#15520, pidgin.im#15521, bgo#668154).
   - Drop pidgin-irc-sasl.patch, fixed upstream.

   - Obsolete pidgin-facebookchat: the package is no longer
   maintained and pidgin as built-in support for Facebook
   Chat.

   - Protect buildrequires for mono-devel with with_mono macro.

   - Add pidgin-gstreamer1.patch: Port to GStreamer 1.0. Only
   enabled on openSUSE 13.1 and newer.
   - On openSUSE 13.1 and newer, use gstreamer-devel and
   gstreamer-plugins-base-devel BuildRequires.

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 13.1:

      zypper in -t patch openSUSE-2014-132

   - openSUSE 12.3:

      zypper in -t patch openSUSE-2014-132

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE 13.1 (i586 x86_64):

      finch-2.10.9-4.6.1
      finch-debuginfo-2.10.9-4.6.1
      finch-devel-2.10.9-4.6.1
      libpurple-2.10.9-4.6.1
      libpurple-debuginfo-2.10.9-4.6.1
      libpurple-devel-2.10.9-4.6.1
      libpurple-meanwhile-2.10.9-4.6.1
      libpurple-meanwhile-debuginfo-2.10.9-4.6.1
      libpurple-tcl-2.10.9-4.6.1
      libpurple-tcl-debuginfo-2.10.9-4.6.1
      pidgin-2.10.9-4.6.1
      pidgin-debuginfo-2.10.9-4.6.1
      pidgin-debugsource-2.10.9-4.6.1
      pidgin-devel-2.10.9-4.6.1

   - openSUSE 13.1 (noarch):

      libpurple-branding-openSUSE-13.1-2.6.1
      libpurple-branding-upstream-2.10.9-4.6.1
      libpurple-lang-2.10.9-4.6.1

   - openSUSE 12.3 (i586 x86_64):

      finch-2.10.9-4.10.1
      finch-debuginfo-2.10.9-4.10.1
      finch-devel-2.10.9-4.10.1
      libpurple-2.10.9-4.10.1
      libpurple-debuginfo-2.10.9-4.10.1
      libpurple-devel-2.10.9-4.10.1
      libpurple-meanwhile-2.10.9-4.10.1
      libpurple-meanwhile-debuginfo-2.10.9-4.10.1
      libpurple-tcl-2.10.9-4.10.1
      libpurple-tcl-debuginfo-2.10.9-4.10.1
      pidgin-2.10.9-4.10.1
      pidgin-debuginfo-2.10.9-4.10.1
      pidgin-debugsource-2.10.9-4.10.1
      pidgin-devel-2.10.9-4.10.1

   - openSUSE 12.3 (noarch):

      libpurple-branding-openSUSE-12.2-4.10.1
      libpurple-branding-upstream-2.10.9-4.10.1
      libpurple-lang-2.10.9-4.10.1

References:

   http://support.novell.com/security/cve/CVE-2012-6152.html
   http://support.novell.com/security/cve/CVE-2013-6477.html
   http://support.novell.com/security/cve/CVE-2013-6478.html
   http://support.novell.com/security/cve/CVE-2013-6479.html
   http://support.novell.com/security/cve/CVE-2013-6481.html
   http://support.novell.com/security/cve/CVE-2013-6482.html
   http://support.novell.com/security/cve/CVE-2013-6483.html
   http://support.novell.com/security/cve/CVE-2013-6484.html
   http://support.novell.com/security/cve/CVE-2013-6485.html
   http://support.novell.com/security/cve/CVE-2013-6486.html
   http://support.novell.com/security/cve/CVE-2013-6487.html
   http://support.novell.com/security/cve/CVE-2014-0020.html
   https://bugzilla.novell.com/861019

openSUSE-SU-2014:0239-1: moderate: update for pidgin, pidgin-branding-openSUSE

opensuse-security＠opensuse.org