HGKeeper

pidgin/old.pidgin.im

Pidgin 2.10.7

2013-02-13, Mark Doliner

50edecb2fcf3

Parents 94126843a79a
Children ee1240a98935

Pidgin 2.10.7

4 files changed, 141 insertions(+), 3 deletions(-)

+98 -0

htdocs/ChangeLog

+1 -1

htdocs/index.php

+40 -0

htdocs/news/security/index.php

+2 -2

inc/version.inc

~~--- a/htdocs/ChangeLog Wed Sep 19 21:35:32 2012 +0100~~

+++ b/htdocs/ChangeLog Wed Feb 13 07:08:17 2013 -0800

@@ -1,5 +1,103 @@

Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul

+version 2.10.7 (02/13/2013):

+ Alien hatchery:

+ * No changes

+ General:

+ * The configure script will now exit with status 1 when specifying

+ invalid protocol plugins using the --with-static-prpls and

+ --with-dynamic-prpls arguments. (Michael Fiedler) (#15316)

+ libpurple:

+ * Fix a crash when receiving UPnP responses with abnormally long values.

+ (CVE-2013-0274)

+ * Don't link directly to libgcrypt when building with GnuTLS support.

+ (Bartosz Brachaczek) (#15329)

+ * Fix UPnP mappings on routers that return empty <URLBase/> elements

+ in their response. (Ferdinand Stehle) (#15373)

+ * Tcl plugin uses saner, race-free plugin loading.

+ * Fix the Tcl signals-test plugin for savedstatus-changed.

+ (Andrew Shadura) (#15443)

+ Pidgin:

+ * Make Pidgin more friendly to non-X11 GTK+, such as MacPorts' +no_x11

+ variant.

+ Gadu-Gadu:

+ * Fix a crash at startup with large contact list. Avatar support for

+ buddies will be disabled until 3.0.0. (#15226, #14305)

+ IRC:

+ * Support for SASL authentication. (Thijs Alkemade, Andy Spencer)

+ (#13270)

+ * Print topic setter information at channel join. (#13317)

+ MSN:

+ * Fix SSL certificate issue when signing into MSN for some users.

+ * Fix a crash when removing a user before its icon is loaded. (Mark

+ Barfield) (#15217)

+ MXit:

+ * Fix two bugs where a remote MXit user could possibly specify a local

+ file path to be written to. (CVE-2013-0271)

+ * Fix a bug where the MXit server or a man-in-the-middle could

+ potentially send specially crafted data that could overflow a buffer

+ and lead to a crash or remote code execution. (CVE-2013-0272)

+ * Display farewell messages in a different colour to distinguish

+ them from normal messages.

+ * Add support for typing notification.

+ * Add support for the Relationship Status profile attribute.

+ * Remove all reference to Hidden Number.

+ * Ignore new invites to join a GroupChat if you're already joined, or

+ still have a pending invite.

+ * The buddy's name was not centered vertically in the buddy-list if they

+ did not have a status-message or mood set.

+ * Fix decoding of font-size changes in the markup of received messages.

+ * Increase the maximum file size that can be transferred to 1 MB.

+ * When setting an avatar image, no longer downscale it to 96x96.

+ Sametime:

+ * Fix a crash in Sametime when a malicious server sends us an abnormally

+ long user ID. (CVE-2013-0273)

+ Yahoo!:

+ * Fix a double-free in profile/picture loading code. (Mihai Serban)

+ (#15053)

+ * Fix retrieving server-side buddy aliases. (Catalin Salgu) (#15381)

+ Plugins:

+ * The Voice/Video Settings plugin supports using the sndio GStreamer

+ backends. (Brad Smith) (#14414)

+ * Fix a crash in the Contact Availability Detection plugin. (Mark)

+ (#15327)

+ * Make the Message Notification plugin more friendly to non-X11 GTK+,

+ such as MacPorts' +no_x11 variant.

+ Windows-Specific Changes:

+ * Compile with secure flags (Jurre van Bergen) (#15290)

+ * Installer downloads GTK+ Runtime and Debug Symbols more securely.

+ Thanks goes to Jacob Appelbaum of the Tor Project for identifying

+ this issue and suggesting solutions. (#15277)

+ * Updates to a number of dependencies, some of which have security

+ related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen

+ for identifying the vulnerable libraries and to Dieter Verfaillie

+ for helping getting the libraries updated. (#14571, #15285, #15286)

+ * ATK 1.32.0-2

+ * Cyrus SASL 2.1.25

+ * expat 2.1.0-1

+ * freetype 2.4.10-1

+ * gettext 0.18.1.1-2

+ * Glib 2.28.8-1

+ * libpng 1.4.12-1

+ * libxml2 2.9.0-1

+ * NSS 3.13.6 and NSPR 4.9.2

+ * Pango 1.29.4-1

+ * SILC 1.1.10

+ * zlib 1.2.5-2

+ * Patch libmeanwhile (sametime library) to fix crash. (Jonathan Rice)

+ (#12637)

version 2.10.6 (07/06/2012):

Pidgin:

* Fix a bug that requires a triple-click to open a conversation

~~--- a/htdocs/index.php Wed Sep 19 21:35:32 2012 +0100~~

+++ b/htdocs/index.php Wed Feb 13 07:08:17 2013 -0800

@@ -115,7 +115,7 @@

-Pidgin 2.10.5 contains <a href="/news/security/?id=64">a security update</a> for users of MXit, and 2.10.6 contains a fix for a buddy list double-click bug that snuck into 2.10.5. Please upgrade if you use MXit!

+Pidgin 2.10.7 contains <a href="/news/security/">some security updates</a> for users of MXit, Sametime, and anyone connected to a public network (unencrypted Wi-Fi, universities, offices, etc). It also contains updated SSL certificates to fix signin problems with MSN. Please upgrade!

</p>

</div>

~~--- a/htdocs/news/security/index.php Wed Sep 19 21:35:32 2012 +0100~~

+++ b/htdocs/news/security/index.php Wed Feb 13 07:08:17 2013 -0800

@@ -683,6 +683,46 @@

"fixrevisions" => "ded93865ef42",

"fixedversion" => "2.10.5",

"discoveredby" => "Ulf Härnhammar"

+ ),

+ array(

+ "title" => "Remote MXit user could specify local file path",

+ "date" => "2013-02-13",

+ "cve" => "CVE-2013-0271",

+ "description" => "The MXit protocol plugin saves an image to local disk using a filename that could potentially be partially specified by the IM server or by a remote user.",

+ "fix" => "Escape values that come from the network before using them in filenames.",

+ "fixrevisions" => "a8aef1d340f2",

+ "fixedversion" => "2.10.7",

+ "discoveredby" => "Chris Wysopal, Veracode"

+ ),

+ array(

+ "title" => "MXit buffer overflow reading data from network",

+ "date" => "2013-02-13",

+ "cve" => "CVE-2013-0272",

+ "description" => "The code did not respect the size of the buffer when parsing HTTP headers, and a malicious server or man-in-the-middle could send specially crafted data that could overflow the buffer. This could lead to a crash or remote code execution.",

+ "fix" => "Check buffer bounds when reading and parsing incoming HTTP data.",

+ "fixrevisions" => "879db2a9a59c",

+ "fixedversion" => "2.10.7",

+ "discoveredby" => "Coverity static analysis"

+ ),

+ array(

+ "title" => "Sametime crash with long user IDs",

+ "date" => "2013-02-13",

+ "cve" => "CVE-2013-0273",

+ "description" => "libpurple failed to null-terminate user IDs that were longer than 4096 bytes. It's plausible that a malicious server could send one of these to us, which would lead to a crash.",

+ "fix" => "Use g_strlcpy() instead of strncpy() to guarrantee that the string is null-terminated.",

+ "fixrevisions" => "c31cf8de31cd",

+ "fixedversion" => "2.10.7",

+ "discoveredby" => "Coverity static analysis"

+ ),

+ array(

+ "title" => "Crash when receiving a UPnP response with abnormally long values",

+ "date" => "2013-02-13",

+ "cve" => "CVE-2013-0274",

+ "description" => "libpurple failed to null-terminate some strings when parsing the response from a UPnP router. This could lead to a crash if a malicious user on your network responds with a specially crafted message.",

+ "fix" => "Use g_strlcpy() instead of strncpy() to guarrantee that strings are null-terminated.",

+ "fixrevisions" => "ad7e7fb98db3",

+ "fixedversion" => "2.10.7",

+ "discoveredby" => "Coverity static analysis"

)

);

/* Template for the unfortunate future

~~--- a/inc/version.inc Wed Sep 19 21:35:32 2012 +0100~~

+++ b/inc/version.inc Wed Feb 13 07:08:17 2013 -0800

@@ -1,10 +1,10 @@

<?php

// Current Pidgin Release

~~-$pidgin_version = "2.10.6";~~

+$pidgin_version = "2.10.7";

// Current Windows Pidgin Release

~~-$pidgin_win32_version = "2.10.6";~~

+$pidgin_win32_version = "2.10.7";

// Version of Pidgin in the Ubuntu PPA

$pidgin_ubuntu_version = "2.10.6";