Advisories » MGASA-2014-0295

Updated pidgin packages fix CVE-2014-3775

Publication date: 26 Jul 2014
Modification date: 26 Jul 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3775

Description

Updated pidgin packages fix security vulnerability:

It was discovered that libgadu incorrectly handled certain messages from
file relay servers. A malicious remote server or a man in the middle could
use this issue to cause applications using libgadu to crash, resulting in a
denial of service, or possibly execute arbitrary code (CVE-2014-3775).

The pidgin package was built with a bundled copy of the libgadu library which
contained the vulnerable code.  It has now been built against the external
libgadu library, which had been fixed in a previous update.

This update also fixes an issue with the Yahoo! protocol that was caused by a
bad interaction with the GnuTLS library.
                

References

• http://www.ubuntu.com/usn/usn-2216-1/
• https://bugs.mageia.org/show_bug.cgi?id=13420
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3775

SRPMS

3/core

• pidgin-2.10.9-1.1.mga3

4/core

• pidgin-2.10.9-1.1.mga4