Bug 910041 - (CVE-2013-0273) CVE-2013-0273 pidgin: Meanwhile protocol missing nul termination of long Lotus Sametime usernames
CVE-2013-0273 pidgin: Meanwhile protocol missing nul termination of long Lotu...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130213,repor...
: Security
Depends On: 910651 910652 910653 910654 910826
Blocks: 909372
  Show dependency treegraph
 
Reported: 2013-02-11 11:49 EST by Jan Lieskovsky
Modified: 2014-09-13 15:00 EDT (History)
3 users (show)

See Also:
Fixed In Version: pidgin 2.10.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-03-14 12:53:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Local copy of (by Pidgin upstream) proposed patch to fix the CVE-2013-0273 issue (638 bytes, patch)
2013-02-11 12:04 EST, Jan Lieskovsky
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2013-02-11 11:49:49 EST
A security flaw was found in the way Lotus Sametime support implementation of Meanwhile protocol plug-in of libPurple normalized overly long Sametime user names. A rogue server could send a specially-crafted Sametime user name that, when processed by Pidgin would lead to pidgin executable crash.

Upstream ticket:
[1] http://pidgin.im/news/security/?id=67
Comment 2 Jan Lieskovsky 2013-02-11 12:04:07 EST
Created attachment 696217 [details]
Local copy of (by Pidgin upstream) proposed patch to fix the CVE-2013-0273 issue
Comment 3 Jan Lieskovsky 2013-02-11 12:05:48 EST
This issue affects the versions of the pidgin package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the pidgin package, as shipped with Fedora release of 16, 17, and 18.
Comment 7 Jan Lieskovsky 2013-02-13 11:27:42 EST
Created pidgin tracking bugs for this issue

Affects: fedora-all [bug 910826]
Comment 8 Vincent Danen 2013-02-13 14:35:25 EST
External References:

http://www.pidgin.im/news/security/?id=67
Comment 9 Huzaifa S. Sidhpurwala 2013-03-04 01:34:26 EST
Upstream patch:

http://hg.pidgin.im/pidgin/main/rev/c31cf8de31cd
Comment 10 Huzaifa S. Sidhpurwala 2013-03-04 04:06:09 EST
Acknowledgements:

Red Hat would like to thank the Pidgin project for reporting this issue.
Comment 12 errata-xmlrpc 2013-03-14 12:50:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0646 https://rhn.redhat.com/errata/RHSA-2013-0646.html

Note You need to log in before you can comment on or make changes to this bug.