--- a/htdocs/ChangeLog Mon Jan 27 21:28:35 2014 -0800
+++ b/htdocs/ChangeLog Tue Jan 28 07:08:59 2014 -0800
@@ -1,5 +1,128 @@
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
+version 2.10.8 (1/28/2014): + * Python build scripts and example plugins are now compatible with + Python 3. (Ashish Gupta) (#15624) + * Fix potential crash if libpurple gets an error attempting to read a + reply from a STUN server. (Discovered by Coverity static analysis) + * Fix potential crash parsing a malformed HTTP response. (Discovered by + Jacob Appelbaum of the Tor Project) (CVE-2013-6479) + * Fix buffer overflow when parsing a malformed HTTP response with + chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent) + * Better handling of HTTP proxy responses with negative Content-Lengths. + (Discovered by Matt Jones, Volvent) + * Fix handling of SSL certificates without subjects when using libnss. + * Fix handling of SSL certificates with timestamps in the distant future + when using libnss. (#15586) + * Impose maximum download size for all HTTP fetches. + * Fix crash displaying tooltip of long URLs. (CVE-2013-6478) + * Better handling of URLs longer than 1000 letters. + * Fix handling of multibyte UTF-8 characters in smiley themes. (#15756) + Windows-Specific Changes: + * When clicking file:// links, show the file in Explorer rather than + attempting to run the file. This reduces the chances of a user + clicking on a link and mistakenly running a malicious file. + (Originally discovered by James Burton, Insomnia Security. Rediscovered + by Yves Younan of Sourcefire VRT.) (CVE-2013-6486) + * Fix Tcl scripts. (#15520) + * Fix crash-on-startup when ASLR is always on. (#15521) + * Updates to dependencies: + * NSS 3.15.4 and NSPR 4.10.2 + Patched for https://bugzilla.gnome.org/show_bug.cgi?id=668154 + * Fix untrusted certificate error. + * Fix a possible crash when receiving a malformed message in a Direct IM + * Fix buffer overflow with remote code execution potential. Only + triggerable by a Gadu-Gadu server or a man-in-the-middle. + (Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT) + * Disabled buddy list import/export from/to server (it didn't work + anymore). Buddy list synchronization will be implemented in 3.0.0. + * Disabled new account registration and password change options, as it + didn't work either. Account registration also caused a crash. Both + functions are available using official Gadu-Gadu website. + * Fix bug where a malicious server or man-in-the-middle could trigger + a crash by not sending enough arguments with various messages. + (Discovered by Daniel Atallah) (CVE-2014-0020) + * Fix bug where initial IRC status would not be set correctly. + * Fix bug where IRC wasn't available when libpurple was compiled with + Cyrus SASL support. (#15517) + * Fix NULL pointer dereference parsing headers in MSN. + (Discovered by Fabian Yamaguchi and Christian Wressnegger of the + University of Goettingen) (CVE-2013-6482) + * Fix NULL pointer dereference parsing OIM data in MSN. + (Discovered by Fabian Yamaguchi and Christian Wressnegger of the + University of Goettingen) (CVE-2013-6482) + * Fix NULL pointer dereference parsing SOAP data in MSN. + (Discovered by Fabian Yamaguchi and Christian Wressnegger of the + University of Goettingen) (CVE-2013-6482) + * Fix possible crash when sending very long messages. Not + remotely-triggerable. (Discovered by Matt Jones, Volvent) + * Fix buffer overflow with remote code execution potential. + (Discovered by Yves Younan and Pawel Janic of Sourcefire VRT) + * Fix sporadic crashes that can happen after user is disconnected. + * Fix crash when attempting to add a contact via search results. + * Show error message if file transfer fails. + * Fix compiling with InstantBird. + * Fix display of some custom emoticons. + * Correctly set whiteboard dimensions in whiteboard sessions. + * Fix buffer overflow with remote code execution potential. + (Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6490) + * Prevent spoofing of iq replies by verifying that the 'from' address + matches the 'to' address of the iq request. (Discovered by Fabian + Yamaguchi and Christian Wressnegger of the University of Goettingen, + fixed by Thijs Alkemade) (CVE-2013-6483) + * Fix crash on some systems when receiving fake delay timestamps with + extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477) + * Fix possible crash or other erratic behavior when selecting a very + small file for your own buddy icon. + * Fix crash if the user tries to initiate a voice/video session with a + * Fix login errors when the first two available auth mechanisms fail but + a subsequent mechanism would otherwise work when using Cyrus SASL. + * Fix dropping incoming stanzas on BOSH connections when we receive + multiple HTTP responses at once. (Issa Gorissen) (#15684) + * Fix possible crashes handling incoming strings that are not UTF-8. + (Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152) + * Fix a bug reading a peer to peer message where a remote user could + trigger a crash. (CVE-2013-6481) + * Fix crash in contact availability plugin. + * Fix perl function Purple::Network::ip_atoi + * Add Unity integration plugin. version 2.10.7 (02/13/2013):
--- a/htdocs/index.php Mon Jan 27 21:28:35 2014 -0800
+++ b/htdocs/index.php Tue Jan 28 07:08:59 2014 -0800
@@ -115,7 +115,7 @@
<p class="more" id="lowblurb">
<!-- Put little news blurbs here! -->
-Pidgin 2.10.7 contains <a href="/news/security/">some security updates</a> for users of MXit, Sametime, and anyone connected to a public network (unencrypted Wi-Fi, universities, offices, etc). It also contains updated SSL certificates to fix signin problems with MSN. Please upgrade!+Pidgin 2.10.8 contains <a href="/news/security/">important security updates</a> for all users. It also fixes the untrusted SSL certificates for AIM. Please upgrade! --- a/htdocs/news/security/index.php Mon Jan 27 21:28:35 2014 -0800
+++ b/htdocs/news/security/index.php Tue Jan 28 07:08:59 2014 -0800
@@ -723,6 +723,176 @@
"fixrevisions" => "ad7e7fb98db3",
"fixedversion" => "2.10.7",
"discoveredby" => "Coverity static analysis"
+ "title" => "Windows Pidgin crash receiving some characters", + "date" => "2014-02-28", + "description" => "The library used to render fonts would sometimes crash when attempting to display certain Unicode characters.", + "fix" => "Patch the version of Pango that we bundle with our installer to not crash when displaying these characters.", + "fixrevisions" => "3542f04b5e52", + "fixedversion" => "2.10.8", + "discoveredby" => "Eion Robb" + "title" => "Yahoo! remote crash from incorrect character encoding", + "date" => "2014-02-28", + "cve" => "CVE-2012-6152", + "description" => "Many places in the Yahoo! protocol plugin assumed incoming strings were UTF-8 and failed to transcode from non-UTF-8 encodings. This can lead to a crash when receiving strings that aren't UTF-8.", + "fix" => "Depending on the context, either validate that a string is UTF-8 or transcode the string from the appropriate encoding to UTF-8.", + "fixrevisions" => "b0345c25f886", + "fixedversion" => "2.10.8", + "discoveredby" => "Thijs Alkemade and Robert Vehse" + "title" => "Crash handling bad XMPP timestamp", + "date" => "2014-02-28", + "cve" => "CVE-2013-6477", + "description" => "A remote XMPP user can trigger a crash on some systems by sending a message with a timestamp in the distant future.", + "fix" => "Avoid passing negative timestamps to localtime().", + "fixrevisions" => "852014ae74a0", + "fixedversion" => "2.10.8", + "discoveredby" => "Jaime Breva Ribes" + "title" => "Crash when hovering pointer over a long URL", + "date" => "2014-02-28", + "cve" => "CVE-2013-6478", + "description" => "libX11 forcefully exits when Pidgin tries to create an exceptionally wide tooltip window.", + "fix" => "Only display the first 200 characters of the URL in the tooltip.", + "fixrevisions" => "2bb66ef1475e", + "fixedversion" => "2.10.8", + "discoveredby" => "<a href=\"/pipermail/support/2013-March/012980.html\">support email #1</a>, <a href=\"/pipermail/support/2013-March/012981.html\">support email #2</a>" + "title" => "Remote crash parsing HTTP responses", + "date" => "2014-02-28", + "cve" => "CVE-2013-6479", + "description" => "A malicious server or man-in-the-middle could send a malformed HTTP response that could lead to a crash.", + "fix" => "Validate response before using it.", + "fixrevisions" => "cd529e1158d3", + "fixedversion" => "2.10.8", + "discoveredby" => "Jacob Appelbaum of the Tor Project" + "title" => "Remote crash reading Yahoo! P2P message", + "date" => "2014-02-28", + "cve" => "CVE-2013-6481", + "description" => "The Yahoo! protocol plugin failed to validate a length field before trying to read from a buffer, which could result in reading past the end of the buffer which could cause a crash.", + "fix" => "Check that the length is within range.", + "fixrevisions" => "4d139ce8f7ec", + "fixedversion" => "2.10.8", + "discoveredby" => "Daniel Atallah" + "title" => "NULL pointer dereference parsing headers in MSN", + "date" => "2014-02-28", + "cve" => "CVE-2013-6482", + "description" => "A malformed Content-Length header could lead to a NULL pointer dereference.", + "fix" => "Check to make sure the Content-Length header has a value.", + "fixrevisions" => "23cbfff68a0c", + "fixedversion" => "2.10.8", + "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen" + "title" => "NULL pointer dereference parsing OIM data in MSN", + "date" => "2014-02-28", + "cve" => "CVE-2013-6482", + "description" => "A malicious server or man-in-the-middle could send us a specially-crafted XML response that results in a NULL pointer dereference.", + "fix" => "Check for NULL before calling atoi().", + "fixrevisions" => "ef836278304b", + "fixedversion" => "2.10.8", + "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen" + "title" => "NULL pointer dereference parsing SOAP data in MSN", + "date" => "2014-02-28", + "cve" => "CVE-2013-6482", + "description" => "A malicious server or man-in-the-middle could send us a specially-crafted SOAP response that results in a NULL pointer dereference.", + "fix" => "Check for NULL before using values.", + "fixrevisions" => "68d6df7dc69c", + "fixedversion" => "2.10.8", + "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen" + "title" => "XMPP doesn't verify 'from' on some iq replies", + "date" => "2014-02-28", + "cve" => "CVE-2013-6483", + "description" => "The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference.", + "fix" => "Keep track of the 'to' when sending an iq stanza and make sure replies for a given stanza ID come from the same address it was sent to.", + "fixrevisions" => "93d4bff19574", + "fixedversion" => "2.10.8", + "discoveredby" => "Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen" + "title" => "Crash reading response from STUN server", + "date" => "2014-02-28", + "cve" => "CVE-2013-6484", + "description" => "Incorrect error handling when reading the response from a STUN server could lead to a crash.", + "fix" => "Fix error handling.", + "fixrevisions" => "932b985540e9", + "fixedversion" => "2.10.8", + "discoveredby" => "Coverity static analysis" + "title" => "Buffer overflow parsing chunked HTTP responses", + "date" => "2014-02-28", + "cve" => "CVE-2013-6485", + "description" => "A malicious server or man-in-the-middle could cause a buffer overflow by sending a malformed HTTP response with chunked Transfer-Encoding with invalid chunk sizes.", + "fix" => "Enforce a maximum size for chunks.", + "fixrevisions" => "c9e5aba2dafd", + "fixedversion" => "2.10.8", + "discoveredby" => "Matt Jones, Volvent" + "title" => "Pidgin uses clickable links to untrusted executables", + "date" => "2014-02-28", + "cve" => "CVE-2013-6486", + "description" => "If a user clicks on a file:// URI in a received IM in Windows builds of Pidgin, Pidgin attempts to execute the file. This can be dangerous if the file:// URI is a path on a network share. This was <a href=\"?id=55\">originally reported in CVE-2011-3185 in 2011</a> and we attempted to fix it then, but failed.", + "fix" => "Don't attempt to execute files when the user clicks a file:// URI. Instead, open a file browser at the file's location.", + "fixrevisions" => "b2571530fa8b", + "fixedversion" => "2.10.8", + "discoveredby" => "Originally by James Burton, Insomnia Security. Rediscovered by Yves Younan of Sourcefire VRT." + "title" => "Buffer overflow in Gadu-Gadu HTTP parsing", + "date" => "2014-02-28", + "cve" => "CVE-2013-6487", + "description" => "A malicious server or man-in-the-middle could send a large value for Content-Length and cause an integer overflow which could lead to a buffer overflow.", + "fix" => "Enforce a maximum size for content-length.", + "fixrevisions" => "ec15aa187aa0", + "fixedversion" => "2.10.8", + "discoveredby" => "Yves Younan and Ryan Pentney of Sourcefire VRT" + "title" => "Buffer overflow in MXit emoticon parsing", + "date" => "2014-02-28", + "cve" => "CVE-2013-6489", + "description" => "A specially crafted emoticon value could cause an integer overflow which could lead to a buffer overflow.", + "fix" => "Use an unsigned integer and enforce a maximum size.", + "fixrevisions" => "4c897372b5a4", + "fixedversion" => "2.10.8", + "discoveredby" => "Yves Younan and Pawel Janic of Sourcefire VRT" + "title" => "Buffer overflow in SIMPLE header parsing", + "date" => "2014-02-28", + "cve" => "CVE-2013-6490", + "description" => "A Content-Length of -1 could lead to a buffer overflow.", + "fix" => "Ignore messages with negative values for Content-Length.", + "fixrevisions" => "6bd2dd10e5da", + "fixedversion" => "2.10.8", + "discoveredby" => "Yves Younan of Sourcefire VRT" + "title" => "Remotely triggerable crash in IRC argument parsing", + "date" => "2014-02-28", + "cve" => "CVE-2014-0020", + "description" => "A malicious server or man-in-the-middle could trigger a crash in libpurple by sending a message with fewer than expected arguments.", + "fix" => "Verify that incoming messages contain the appropriate number of arguments before handling them.", + "fixrevisions" => "a167504359e5,9f132a6855cd,5845d9fa7084,6b0e0566af20,4d9be297d399,7d0fb0c6d8d4", + "fixedversion" => "2.10.8", + "discoveredby" => "Daniel Atallah" /* Template for the unfortunate future
@@ -743,7 +913,7 @@
if (array_key_exists('id', $_GET)) {
// Read in the ID of the vulnerability the user wants to view
- $id = intval($_GET["id"]); + $id = intval($_GET["id"]); $total = count($vulnerabilities);
--- a/inc/version.inc Mon Jan 27 21:28:35 2014 -0800
+++ b/inc/version.inc Tue Jan 28 07:08:59 2014 -0800
@@ -1,10 +1,10 @@
// Current Pidgin Release
-$pidgin_version = "2.10.7";+$pidgin_version = "2.10.8"; // Current Windows Pidgin Release
-$pidgin_win32_version = "2.10.7";+$pidgin_win32_version = "2.10.8"; // Version of Pidgin in the Ubuntu PPA
$pidgin_ubuntu_version = "2.10.6";
