openSUSE Security Update: update for pidgin, pidgin-branding-openSUSE ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:0239-1 Rating: moderate References: #861019 Cross-References: CVE-2012-6152 CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 CVE-2013-6486 CVE-2013-6487 CVE-2014-0020 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that fixes 12 vulnerabilities is now available. Description: - Update to version 2.10.8 (bnc#861019): + General: Python build scripts and example plugins are now compatible with Python 3 (pidgin.im#15624). + libpurple: - Fix potential crash if libpurple gets an error attempting to read a reply from a STUN server (CVE-2013-6484). - Fix potential crash parsing a malformed HTTP response (CVE-2013-6479). - Fix buffer overflow when parsing a malformed HTTP response with chunked Transfer-Encoding (CVE-2013-6485). - Better handling of HTTP proxy responses with negative Content-Lengths. - Fix handling of SSL certificates without subjects when using libnss. - Fix handling of SSL certificates with timestamps in the distant future when using libnss (pidgin.im#15586). - Impose maximum download size for all HTTP fetches. + Pidgin: - Fix crash displaying tooltip of long URLs (CVE-2013-6478). - Better handling of URLs longer than 1000 letters. - Fix handling of multibyte UTF-8 characters in smiley themes (pidgin.im#15756). + AIM: Fix untrusted certificate error. + AIM and ICQ: Fix a possible crash when receiving a malformed message in a Direct IM session. + Gadu-Gadu: - Fix buffer overflow with remote code execution potential. Only triggerable by a Gadu-Gadu server or a man-in-the-middle (CVE-2013-6487). - Disabled buddy list import/export from/to server. - Disabled new account registration and password change options. + IRC: - Fix bug where a malicious server or man-in-the-middle could trigger a crash by not sending enough arguments with various messages (CVE-2014-0020). - Fix bug where initial IRC status would not be set correctly. - Fix bug where IRC wasn't available when libpurple was compiled with Cyrus SASL support (pidgin.im#15517). + MSN: - Fix NULL pointer dereference parsing headers in MSN (CVE-2013-6482). - Fix NULL pointer dereference parsing OIM data in MSN (CVE-2013-6482). - Fix NULL pointer dereference parsing SOAP data in MSN (CVE-2013-6482). - Fix possible crash when sending very long messages. Not remotely-triggerable. + MXit: - Fix buffer overflow with remote code execution potential (CVE-2013-6487). - Fix sporadic crashes that can happen after user is disconnected. - Fix crash when attempting to add a contact via search results. - Show error message if file transfer fails. - Fix compiling with InstantBird. - Fix display of some custom emoticons. + SILC: Correctly set whiteboard dimensions in whiteboard sessions. + SIMPLE: Fix buffer overflow with remote code execution potential (CVE-2013-6487). + XMPP: - Prevent spoofing of iq replies by verifying that the 'from' address matches the 'to' address of the iq request (CVE-2013-6483). - Fix crash on some systems when receiving fake delay timestamps with extreme values (CVE-2013-6477). - Fix possible crash or other erratic behavior when selecting a very small file for your own buddy icon. - Fix crash if the user tries to initiate a voice/video session with a resourceless JID. - Fix login errors when the first two available auth mechanisms fail but a subsequent mechanism would otherwise work when using Cyrus SASL (pidgin.im#15524). - Fix dropping incoming stanzas on BOSH connections when we receive multiple HTTP responses at once (pidgin.im#15684). + Yahoo!: - Fix possible crashes handling incoming strings that are not UTF-8 (CVE-2012-6152). - Fix a bug reading a peer to peer message where a remote user could trigger a crash (CVE-2013-6481). + Plugins: - Fix crash in contact availability plugin. - Fix perl function Purple::Network::ip_atoi. - Add Unity integration plugin. + Windows specific fixes: (CVE-2013-6486, pidgin.im#15520, pidgin.im#15521, bgo#668154). - Drop pidgin-irc-sasl.patch, fixed upstream. - Obsolete pidgin-facebookchat: the package is no longer maintained and pidgin as built-in support for Facebook Chat. - Protect buildrequires for mono-devel with with_mono macro. - Add pidgin-gstreamer1.patch: Port to GStreamer 1.0. Only enabled on openSUSE 13.1 and newer. - On openSUSE 13.1 and newer, use gstreamer-devel and gstreamer-plugins-base-devel BuildRequires. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-132 - openSUSE 12.3: zypper in -t patch openSUSE-2014-132 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): finch-2.10.9-4.6.1 finch-debuginfo-2.10.9-4.6.1 finch-devel-2.10.9-4.6.1 libpurple-2.10.9-4.6.1 libpurple-debuginfo-2.10.9-4.6.1 libpurple-devel-2.10.9-4.6.1 libpurple-meanwhile-2.10.9-4.6.1 libpurple-meanwhile-debuginfo-2.10.9-4.6.1 libpurple-tcl-2.10.9-4.6.1 libpurple-tcl-debuginfo-2.10.9-4.6.1 pidgin-2.10.9-4.6.1 pidgin-debuginfo-2.10.9-4.6.1 pidgin-debugsource-2.10.9-4.6.1 pidgin-devel-2.10.9-4.6.1 - openSUSE 13.1 (noarch): libpurple-branding-openSUSE-13.1-2.6.1 libpurple-branding-upstream-2.10.9-4.6.1 libpurple-lang-2.10.9-4.6.1 - openSUSE 12.3 (i586 x86_64): finch-2.10.9-4.10.1 finch-debuginfo-2.10.9-4.10.1 finch-devel-2.10.9-4.10.1 libpurple-2.10.9-4.10.1 libpurple-debuginfo-2.10.9-4.10.1 libpurple-devel-2.10.9-4.10.1 libpurple-meanwhile-2.10.9-4.10.1 libpurple-meanwhile-debuginfo-2.10.9-4.10.1 libpurple-tcl-2.10.9-4.10.1 libpurple-tcl-debuginfo-2.10.9-4.10.1 pidgin-2.10.9-4.10.1 pidgin-debuginfo-2.10.9-4.10.1 pidgin-debugsource-2.10.9-4.10.1 pidgin-devel-2.10.9-4.10.1 - openSUSE 12.3 (noarch): libpurple-branding-openSUSE-12.2-4.10.1 libpurple-branding-upstream-2.10.9-4.10.1 libpurple-lang-2.10.9-4.10.1 References: http://support.novell.com/security/cve/CVE-2012-6152.html http://support.novell.com/security/cve/CVE-2013-6477.html http://support.novell.com/security/cve/CVE-2013-6478.html http://support.novell.com/security/cve/CVE-2013-6479.html http://support.novell.com/security/cve/CVE-2013-6481.html http://support.novell.com/security/cve/CVE-2013-6482.html http://support.novell.com/security/cve/CVE-2013-6483.html http://support.novell.com/security/cve/CVE-2013-6484.html http://support.novell.com/security/cve/CVE-2013-6485.html http://support.novell.com/security/cve/CVE-2013-6486.html http://support.novell.com/security/cve/CVE-2013-6487.html http://support.novell.com/security/cve/CVE-2014-0020.html https://bugzilla.novell.com/861019