Bug 803296 (CVE-2011-4939)

Summary: CVE-2011-4939 pidgin: NULL pointer dereference in the XMPP protocol plug-in by renaming user name
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: itamar, jrb, mbarnes, stu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-05 03:32:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 803299, 806709, 806710, 806711, 806712    
Bug Blocks: 803303    

Description Jan Lieskovsky 2012-03-14 11:48:30 UTC 
A NULL pointer dereference flaw was found in the way XMPP protocol plug-in of Pidgin, a Gtk+ based multiprotocol instant messaging client, performed change of user name for particular buddy. If a remote Pidgin user, present on the buddy list of the victim, changed their Pidgin nickname to specially-crafted value it would lead to Pidgin client crash.

Upstream bug report:
[1] http://developer.pidgin.im/ticket/14392

Upstream patch:
[2] http://developer.pidgin.im/viewmtn/revision/info/d1d77da56217f3a083e1d459bef054db9f1d5699

Upstream security page entry:
[3] http://pidgin.im/news/security/?id=60

CVE request:
[4] http://www.openwall.com/lists/oss-security/2012/03/14/2
Comment 2 Jan Lieskovsky 2012-03-14 11:54:00 UTC 
Created pidgin tracking bugs for this issue

Affects: fedora-all [bug 803299]
Comment 3 Vincent Danen 2012-03-14 18:17:24 UTC 
This was assigned the name CVE-2011-4939:

http://www.openwall.com/lists/oss-security/2012/03/14/7
Comment 14 Huzaifa S. Sidhpurwala 2012-07-05 03:32:09 UTC 
Statement:

Not Vulnerable. This issue does not affect the version of pidgin as shipped with Red Hat Enterprise Linux 5 and 6.