Updated pidgin packages fix security vulnerabilities
Publication date: 25 Oct 2014Modification date: 25 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3694 , CVE-2014-3695 , CVE-2014-3696 , CVE-2014-3698
Description
In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins (one
for GnuTLS and one for NSS) failed to check that the Basic Constraints
extension allowed intermediate certificates to act as CAs. This allowed
anyone with any valid certificate to create a fake certificate for any
arbitrary domain and Pidgin would trust it (CVE-2014-3694).
In Pidgin before 2.10.10, a malicious server or man-in-the-middle could
trigger a crash in libpurple by sending an emoticon with an overly large
length value (CVE-2014-3695).
In Pidgin before 2.10.10, a malicious server or man-in-the-middle could
trigger a crash in libpurple by specifying that a large amount of memory
should be allocated in many places in the UI (CVE-2014-3696).
In Pidgin before 2.10.10, a malicious server and possibly even a malicious
remote user could create a carefully crafted XMPP message that causes
libpurple to send an XMPP message containing arbitrary memory
(CVE-2014-3698).
The pidgin package has been updated to version 2.10.10 which fixes these
issues and other bugs.
References
- https://bugs.mageia.org/show_bug.cgi?id=14344
- http://www.pidgin.im/news/security/?id=86
- http://www.pidgin.im/news/security/?id=87
- http://www.pidgin.im/news/security/?id=88
- http://www.pidgin.im/news/security/?id=90
- https://developer.pidgin.im/wiki/ChangeLog
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3694
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3695
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3696
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3698
SRPMS
3/core
- pidgin-2.10.10-1.mga3
4/core
- pidgin-2.10.10-1.mga4