pidgin (SL7)

By Scientific Linux Team on August 21, 2017

Synopsis: Moderate: pidgin security, bug fix, and enhancement
Advisory ID: SLSA-2017:1854-1
Issue Date: 2017-08-01
CVE Numbers: CVE-2014-3694
CVE-2014-3695
CVE-2014-3696
CVE-2014-3698
CVE-2017-2640

The following packages have been upgraded to a later upstream version:
pidgin (2.10.11).

Security Fix(es):

* A denial of service flaw was found in the way Pidgin’s Mxit plug-in
handled emoticons. A malicious remote server or a man-in-the-middle
attacker could potentially use this flaw to crash Pidgin by sending a
specially crafted emoticon. (CVE-2014-3695)

* A denial of service flaw was found in the way Pidgin parsed Groupwise
server messages. A malicious remote server or a man-in-the-middle attacker
could potentially use this flaw to cause Pidgin to consume an excessive
amount of memory, possibly leading to a crash, by sending a specially
crafted message. (CVE-2014-3696)

* An information disclosure flaw was discovered in the way Pidgin parsed
XMPP messages. A malicious remote server or a man-in-the-middle attacker
could potentially use this flaw to disclose a portion of memory belonging
to the Pidgin process by sending a specially crafted XMPP message.
(CVE-2014-3698)

* An out-of-bounds write flaw was found in the way Pidgin processed XML
content. A malicious remote server could potentially use this flaw to
crash Pidgin or execute arbitrary code in the context of the pidgin
process. (CVE-2017-2640)

* It was found that Pidgin’s SSL/TLS plug-ins had a flaw in the
certificate validation functionality. An attacker could use this flaw to
create a fake certificate, that Pidgin would trust, which could be used to
conduct man-in-the-middle attacks against Pidgin. (CVE-2014-3694)

SL7
x86_64
libpurple-2.10.11-5.el7.i686.rpm
libpurple-2.10.11-5.el7.x86_64.rpm
pidgin-2.10.11-5.el7.x86_64.rpm
pidgin-debuginfo-2.10.11-5.el7.i686.rpm
pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm
finch-2.10.11-5.el7.i686.rpm
finch-2.10.11-5.el7.x86_64.rpm
finch-devel-2.10.11-5.el7.i686.rpm
finch-devel-2.10.11-5.el7.x86_64.rpm
libpurple-devel-2.10.11-5.el7.i686.rpm
libpurple-devel-2.10.11-5.el7.x86_64.rpm
libpurple-perl-2.10.11-5.el7.x86_64.rpm
libpurple-tcl-2.10.11-5.el7.x86_64.rpm
pidgin-devel-2.10.11-5.el7.i686.rpm
pidgin-devel-2.10.11-5.el7.x86_64.rpm
pidgin-perl-2.10.11-5.el7.x86_64.rpm

– Scientific Linux Development Team