lp:ubuntu/hardy-security/pidgin

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

28. By Marc Deslauriers on 2010-11-03

* SECURITY UPDATE: denial of service via custom emoticon
  - debian/patches/94_security_CVE-2010-1624.patch: make sure body is
    valid in libpurple/protocols/{msn,msnp9}/slp.c.
  - CVE-2010-1624
* SECURITY UPDATE: denial of service via base64 decoding (LP: #666998)
  - debian/patches/94_security_CVE-2010-3711.patch: correctly handle
    purple_base64_decode return codes in libpurple/ntlm.c,
    libpurple/protocols/{jabber/auth.c,msn/slp.c,msnp9/slp.c,
    myspace/message.c,yahoo/yahoo.c}.
  - CVE-2010-3711

27. By Marc Deslauriers on 2010-02-18

* SECURITY UPDATE: denial of service via malformed SLP message
  - debian/patches/94_security_CVE-2010-0277.patch: validate input in
    libpurple/protocols/msn/{slp.c,slpcall.c,slplink.c,slpmsg.h}.
  - CVE-2010-0277
* SECURITY UPDATE: denial of service via certain nicknames in Finch
  - debian/patches/94_security_CVE-2010-0420.patch: properly unescape
    text in finch/libgnt/gnttree.c, libpurple/protocols/bonjour/parser.c,
    libpurple/protocols/jabber/parser.c, libpurple/xmlnode.c.
  - CVE-2010-0420
* SECURITY UPDATE: denial of service via large number of smileys
  - debian/patches/94_security_CVE-2010-0423.patch: limit the number of
    smileys in pidgin/gtkimhtml.c.
  - CVE-2010-0423

26. By Marc Deslauriers on 2010-01-15

* SECURITY UPDATE: denial of service via TOPIC message
  - debian/patches/87_security_CVE-2009-2703.patch: validate args in
    libpurple/protocols/irc/msgs.c.
  - CVE-2009-2703
* SECURITY UPDATE: information disclosure via incorrect jabber TLS
  handling
  - debian/patches/88_security_CVE-2009-3026.patch: bail out if
    encryption is not available in libpurple/protocols/jabber/auth.c.
  - CVE-2009-3026
* SECURITY UPDATE: denial of service via malformed SLP invite message
  - debian/patches/89_security_CVE-2009-3083.patch: validate branch,
    content_type and content in libpurple/protocols/msn/slp.c and
    libpurple/protocols/msnp9/slp.c.
  - CVE-2009-3083
* SECURITY UPDATE: denial of service via crafted contact list data
  - debian/patches/90_security_CVE-2009-3615.patch: validate contact
    list structure in libpurple/protocols/oscar/oscar.c.
  - CVE-2009-3615
* SECURITY UPDATE: denial of service via specially formulated long
  filename (LP: #245769)
  - previous 72_SECURITY_CVE-2008-2955.patch patch was incomplete
  - debian/patches/91_security_CVE-2008-2955-2.patch: change
    src/protocols/msnp9/[slplink.c,slpcall.*] to make sure xfer structure
    still exists before putting dest_fp in it.
  - CVE-2008-2955
* SECURITY UPDATE: arbitrary code execution via crafted MSN message
  - previous 83_security_CVE-2009-1376.patch patch was incomplete
  - debian/patches/92_security_CVE-2009-1376-2.patch: switch offset
    variable to guint64 in libpurple/protocols/msnp9/slplink.c.
  - CVE-2009-1376
* Fix connection issue with MSN (LP: #494002)
  - debian/patches/93_msn_protocol8.patch: use protocol v8 in
    libpurple/protocols/msnp9/session.c, as it seems v9 isn't supported
    by msn anymore.

25. By Marc Deslauriers on 2009-08-19

* SECURITY UPDATE: arbitrary code execution via crafted MSNSLP packet
   (LP: #415863)
  - debian/patches/85_security_CVE-2009-2694.patch: properly destroy
    slpmsg in libpurple/protocols/{msn,msnp9}/slplink.c.
  - CVE-2009-2694

24. By Marc Deslauriers on 2009-07-03

* SECURITY UPDATE: denial of service via ICQWebMessage message type in
  OSCAR protocol. (LP: #393736)
  - debian/patches/84_security_CVE-2009-1889.patch: make the check better
    in libpurple/protocols/oscar/oscar.c, only allocate memory if len is
    valid in libpurple/protocols/oscar/bstream.c.
  - CVE-2009-1889

23. By Marc Deslauriers on 2009-05-25

* SECURITY UPDATE: denial of service or possible code execution in XMPP
  file transfer
  - debian/patches/81_security_CVE-2009-1373.patch: calculate lengths
    correctly in libpurple/protocols/jabber/si.c.
  - CVE-2009-1373
* SECURITY UPDATE: denial of service in PurpleCircBuffer object expansion
  - debian/patches/82_security_CVE-2009-1375.patch: add an additional
    check in libpurple/circbuffer.c.
  - CVE-2009-1375
* SECURITY UPDATE: arbitrary code execution via crafted MSN message
  - debian/patches/83_security_CVE-2009-1376.patch: switch offset
    variable to guint64 in libpurple/protocols/msn/slplink.c.
  - CVE-2009-1376

22. By Marc Deslauriers on 2008-11-20

* SECURITY UPDATE: code execution via integer overflow in the MSN protocol
  handler (LP: #245770)
  - debian/patches/71_SECURITY_CVE-2008-2927.patch: fix
    msn_slplink_process_msg() in src/protocols/msn/slplink.c and src/
    protocols/msnp9/slplink.c by checking against maximum size G_MAXSIZE.
  - CVE-2008-2927
* SECURITY UPDATE: denial of service via specially formulated long
  filename (LP: #245769)
  - debian/patches/72_SECURITY_CVE-2008-2955.patch: change
    src/protocols/msn/[slplink.c,slpcall.*] to make sure xfer structure still
    exists before putting dest_fp in it.
  - CVE-2008-2955
* SECURITY UPDATE: denial of service via resource exhaustion from arbitrary
  URL in UPnP functionality (LP: #245769)
  - debian/patches/73_SECURITY_CVE-2008-2957.patch: modified
    libpurple/[upnp.c,util.*] to add purple_util_fetch_url_request_len() in
    order to limit http downloads to 128k.
  - CVE-2008-2957
* SECURITY UPDATE: man in the middle attack from lack of certificate
  validation in nss plugin (LP: #251304)
  - debian/patches/74_SECURITY_CVE-2008-3532.patch: modified
    libpurple/plugins/ssl/ssl-nss.c to add certificate validation code.
  - CVE-2008-3532

21. By Sebastien Bacher on 2008-04-09

rebuild due to liblaunchpad-integration soname change

20. By Pedro Fragoso on 2008-04-04

* Sync with Debian, remaining Ubuntu changes; (LP: #211769)
  - debian/control:
    + Set Maintainer to Ubuntu Core Developers.
    + Add build-deps on liblaunchpad-integration-dev, intltool,
      libnm-glib-dev (for --enable-nm)
    + Drop build-deps on libsilc-1.1-2-dev | libsilc-dev (>= 1.1.1) as
      this library is in universe.
    + Drop the libpurple0 recommends on libpurple-bin.
    + Add a gaim transitionnal package for upgrades.
    + Moved finch's libx11-6 dependency to Suggests
  - Ship compatibility symlinks via debian/gaim.links
  - debian/rules:
    + Pass --enable-nm to configure to enable NetworkManager support
    + Pass --disable-silc to configure to disable silc support even if
      it's installed in the build environment.
    + Add X-Ubuntu-Gettext-Domain to the desktop file and update the
      translation templates in common-install-impl::.
    + Added necessary arguments to dh_shlibdeps for finch
  - Update debian/prefs.xml to set the notify plugin prefs
    /plugins/gtk/X11/notify/* and set /pidgin/plugins/loaded to load
    the notify plugin
  - debian/patches:
    + 02_lpi for LP integration
    + 04_let_crasher_for_apport to stop catching the SIGSEGV signal
      and let apport handle it
    + 05_default_to_irc_ubuntu_com to set the default IRC
      server to irc.ubuntu.com.
    + 70_autoconf patch

19. By Adrien Cunin on 2008-03-29

* Moved finch's libx11-6 dependency to Suggests: (LP: #195718)
   - debian/rules: added necessary arguments to dh_shlibdeps
   - debian/control: added Suggests: ${shlibs:Suggests}