910041 – (CVE-2013-0273) CVE-2013-0273 pidgin: Meanwhile protocol missing nul termination of long Lotus Sametime usernames

Bug 910041 (CVE-2013-0273) - CVE-2013-0273 pidgin: Meanwhile protocol missing nul termination of long Lotus Sametime usernames

Summary: CVE-2013-0273 pidgin: Meanwhile protocol missing nul termination of long Lotu...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-0273
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	910651 910652 910653 910654 910826
Blocks:	909372
TreeView+	depends on / blocked

Reported:	2013-02-11 16:49 UTC by Jan Lieskovsky
Modified:	2023-05-12 23:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	pidgin 2.10.7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-14 16:53:28 UTC
Embargoed:

Attachments	(Terms of Use)
Local copy of (by Pidgin upstream) proposed patch to fix the CVE-2013-0273 issue (638 bytes, patch) 2013-02-11 17:04 UTC, Jan Lieskovsky	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0646	0	normal	SHIPPED_LIVE	Moderate: pidgin security update	2013-03-14 20:48:28 UTC

Description Jan Lieskovsky 2013-02-11 16:49:49 UTC

A security flaw was found in the way Lotus Sametime support implementation of Meanwhile protocol plug-in of libPurple normalized overly long Sametime user names. A rogue server could send a specially-crafted Sametime user name that, when processed by Pidgin would lead to pidgin executable crash.

Upstream ticket:
[1] http://pidgin.im/news/security/?id=67

Comment 2 Jan Lieskovsky 2013-02-11 17:04:07 UTC

Created attachment 696217 [details]
Local copy of (by Pidgin upstream) proposed patch to fix the CVE-2013-0273 issue

Comment 3 Jan Lieskovsky 2013-02-11 17:05:48 UTC

This issue affects the versions of the pidgin package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the pidgin package, as shipped with Fedora release of 16, 17, and 18.

Comment 7 Jan Lieskovsky 2013-02-13 16:27:42 UTC

Created pidgin tracking bugs for this issue

Affects: fedora-all [bug 910826]

Comment 8 Vincent Danen 2013-02-13 19:35:25 UTC

External References:

http://www.pidgin.im/news/security/?id=67

Comment 9 Huzaifa S. Sidhpurwala 2013-03-04 06:34:26 UTC

Upstream patch:

http://hg.pidgin.im/pidgin/main/rev/c31cf8de31cd

Comment 10 Huzaifa S. Sidhpurwala 2013-03-04 09:06:09 UTC

Acknowledgements:

Red Hat would like to thank the Pidgin project for reporting this issue.

Comment 12 errata-xmlrpc 2013-03-14 16:50:57 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0646 https://rhn.redhat.com/errata/RHSA-2013-0646.html

Note You need to log in before you can comment on or make changes to this bug.