565786 – (CVE-2010-0420) CVE-2010-0420 pidgin: Finch XMPP MUC Crash

Bug 565786 (CVE-2010-0420) - CVE-2010-0420 pidgin: Finch XMPP MUC Crash

Summary: CVE-2010-0420 pidgin: Finch XMPP MUC Crash

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-0420
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	565911 565912 565913 565914 566400 833966
Blocks:
TreeView+	depends on / blocked

Reported:	2010-02-16 10:01 UTC by Tomas Hoger
Modified:	2023-05-11 13:55 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-02-22 07:43:50 UTC
Embargoed:

Attachments	(Terms of Use)
Upstream patch to be included in 2.6.6 (631 bytes, patch) 2010-02-16 10:04 UTC, Tomas Hoger	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0115	0	normal	SHIPPED_LIVE	Moderate: pidgin security update	2010-02-18 16:11:22 UTC

Description Tomas Hoger 2010-02-16 10:01:28 UTC

Pidgin 2.6.6 is fixing a remote crash bug in Finch (text-based client using libpurple).  If someone changes nick to '<br>' in XMPP MUC (multi-user chat), it causes Finch to crash.

Acknowledgements:

Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting this issue.

Comment 1 Tomas Hoger 2010-02-16 10:04:46 UTC

Created attachment 394492 [details]
Upstream patch to be included in 2.6.6

Additionally, following patch changes unescaping of <br> in libpurple:

http://developer.pidgin.im/viewmtn/revision/info/0085c32abf29d034d30feef1ffb1d483e316a9a8
http://developer.pidgin.im/ticket/11318

Comment 3 Jan Lieskovsky 2010-02-18 09:06:19 UTC

Public now via:
  http://pidgin.im/news/security/

Comment 4 Tomas Hoger 2010-02-18 09:19:17 UTC

http://pidgin.im/news/security/?id=44

Comment 6 errata-xmlrpc 2010-02-18 16:11:34 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2010:0115 https://rhn.redhat.com/errata/RHSA-2010-0115.html

Comment 7 Fedora Update System 2010-02-18 16:33:20 UTC

pidgin-2.6.6-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/pidgin-2.6.6-1.fc12

Comment 8 Fedora Update System 2010-02-20 00:09:10 UTC

pidgin-2.6.6-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2010-02-20 00:13:40 UTC

pidgin-2.6.6-1.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2010-02-20 00:26:13 UTC

pidgin-2.6.6-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.