openSUSE Security Update : pidgin / pidgin-branding-openSUSE (openSUSE-SU-2014:0239-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

- Update to version 2.10.8 (bnc#861019) :

+ General: Python build scripts and example plugins are
now compatible with Python 3 (pidgin.im#15624).

+ libpurple :

- Fix potential crash if libpurple gets an error
attempting to read a reply from a STUN server
(CVE-2013-6484).

- Fix potential crash parsing a malformed HTTP response
(CVE-2013-6479).

- Fix buffer overflow when parsing a malformed HTTP
response with chunked Transfer-Encoding (CVE-2013-6485).

- Better handling of HTTP proxy responses with negative
Content-Lengths.

- Fix handling of SSL certificates without subjects when
using libnss.

- Fix handling of SSL certificates with timestamps in the
distant future when using libnss (pidgin.im#15586).

- Impose maximum download size for all HTTP fetches.

+ Pidgin :

- Fix crash displaying tooltip of long URLs
(CVE-2013-6478).

- Better handling of URLs longer than 1000 letters.

- Fix handling of multibyte UTF-8 characters in smiley
themes (pidgin.im#15756).

+ AIM: Fix untrusted certificate error.

+ AIM and ICQ: Fix a possible crash when receiving a
malformed message in a Direct IM session.

+ Gadu-Gadu :

- Fix buffer overflow with remote code execution
potential. Only triggerable by a Gadu-Gadu server or a
man-in-the-middle (CVE-2013-6487).

- Disabled buddy list import/export from/to server.

- Disabled new account registration and password change
options.

+ IRC :

- Fix bug where a malicious server or man-in-the-middle
could trigger a crash by not sending enough arguments
with various messages (CVE-2014-0020).

- Fix bug where initial IRC status would not be set
correctly.

- Fix bug where IRC wasn't available when libpurple was
compiled with Cyrus SASL support (pidgin.im#15517).

+ MSN :

- Fix NULL pointer dereference parsing headers in MSN
(CVE-2013-6482).

- Fix NULL pointer dereference parsing OIM data in MSN
(CVE-2013-6482).

- Fix NULL pointer dereference parsing SOAP data in MSN
(CVE-2013-6482).

- Fix possible crash when sending very long messages. Not
remotely-triggerable.

+ MXit :

- Fix buffer overflow with remote code execution potential
(CVE-2013-6487).

- Fix sporadic crashes that can happen after user is
disconnected.

- Fix crash when attempting to add a contact via search
results.

- Show error message if file transfer fails.

- Fix compiling with InstantBird.

- Fix display of some custom emoticons.

+ SILC: Correctly set whiteboard dimensions in whiteboard
sessions.

+ SIMPLE: Fix buffer overflow with remote code execution
potential (CVE-2013-6487).

+ XMPP :

- Prevent spoofing of iq replies by verifying that the
'from' address matches the 'to' address of the iq
request (CVE-2013-6483).

- Fix crash on some systems when receiving fake delay
timestamps with extreme values (CVE-2013-6477).

- Fix possible crash or other erratic behavior when
selecting a very small file for your own buddy icon.

- Fix crash if the user tries to initiate a voice/video
session with a resourceless JID.

- Fix login errors when the first two available auth
mechanisms fail but a subsequent mechanism would
otherwise work when using Cyrus SASL (pidgin.im#15524).

- Fix dropping incoming stanzas on BOSH connections when
we receive multiple HTTP responses at once
(pidgin.im#15684).

+ Yahoo! :

- Fix possible crashes handling incoming strings that are
not UTF-8 (CVE-2012-6152).

- Fix a bug reading a peer to peer message where a remote
user could trigger a crash (CVE-2013-6481).

+ Plugins :

- Fix crash in contact availability plugin.

- Fix perl function Purple::Network::ip_atoi.

- Add Unity integration plugin.

+ Windows specific fixes: (CVE-2013-6486, pidgin.im#15520,
pidgin.im#15521, bgo#668154).

- Drop pidgin-irc-sasl.patch, fixed upstream.

- Obsolete pidgin-facebookchat: the package is no longer
maintained and pidgin as built-in support for Facebook
Chat.

- Protect buildrequires for mono-devel with with_mono
macro.

- Add pidgin-gstreamer1.patch: Port to GStreamer 1.0. Only
enabled on openSUSE 13.1 and newer.

- On openSUSE 13.1 and newer, use gstreamer-devel and
gstreamer-plugins-base-devel BuildRequires.

See also :

http://lists.opensuse.org/opensuse-updates/2014-02/msg00039.html
https://bugzilla.novell.com/show_bug.cgi?id=861019

Solution :

Update the affected pidgin / pidgin-branding-openSUSE packages.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now