ubuntu/+source/pidgin:ubuntu/hardy-security

Last commit made on 2010-11-04
Get this branch:
git clone -b ubuntu/hardy-security https://git.launchpad.net/ubuntu/+source/pidgin
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/hardy-security
Repository:
lp:ubuntu/+source/pidgin

Recent commits

673173f... by Marc Deslauriers on 2010-11-03

Import patches-unapplied version 1:2.4.1-1ubuntu2.10 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: a8de9d26e08d3d1169cf5f50625e84cb1f014648

New changelog entries:
  * SECURITY UPDATE: denial of service via custom emoticon
    - debian/patches/94_security_CVE-2010-1624.patch: make sure body is
      valid in libpurple/protocols/{msn,msnp9}/slp.c.
    - CVE-2010-1624
  * SECURITY UPDATE: denial of service via base64 decoding (LP: #666998)
    - debian/patches/94_security_CVE-2010-3711.patch: correctly handle
      purple_base64_decode return codes in libpurple/ntlm.c,
      libpurple/protocols/{jabber/auth.c,msn/slp.c,msnp9/slp.c,
      myspace/message.c,yahoo/yahoo.c}.
    - CVE-2010-3711

a8de9d2... by Marc Deslauriers on 2010-02-18

Import patches-unapplied version 1:2.4.1-1ubuntu2.9 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 10ed15e4a157176750068740791b1eeca3d9c494

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed SLP message
    - debian/patches/94_security_CVE-2010-0277.patch: validate input in
      libpurple/protocols/msn/{slp.c,slpcall.c,slplink.c,slpmsg.h}.
    - CVE-2010-0277
  * SECURITY UPDATE: denial of service via certain nicknames in Finch
    - debian/patches/94_security_CVE-2010-0420.patch: properly unescape
      text in finch/libgnt/gnttree.c, libpurple/protocols/bonjour/parser.c,
      libpurple/protocols/jabber/parser.c, libpurple/xmlnode.c.
    - CVE-2010-0420
  * SECURITY UPDATE: denial of service via large number of smileys
    - debian/patches/94_security_CVE-2010-0423.patch: limit the number of
      smileys in pidgin/gtkimhtml.c.
    - CVE-2010-0423

10ed15e... by Marc Deslauriers on 2010-01-15

Import patches-unapplied version 1:2.4.1-1ubuntu2.8 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: faeb93998f5ad1ca5a3f1317d3b697a8e9f844f5

New changelog entries:
  * SECURITY UPDATE: denial of service via TOPIC message
    - debian/patches/87_security_CVE-2009-2703.patch: validate args in
      libpurple/protocols/irc/msgs.c.
    - CVE-2009-2703
  * SECURITY UPDATE: information disclosure via incorrect jabber TLS
    handling
    - debian/patches/88_security_CVE-2009-3026.patch: bail out if
      encryption is not available in libpurple/protocols/jabber/auth.c.
    - CVE-2009-3026
  * SECURITY UPDATE: denial of service via malformed SLP invite message
    - debian/patches/89_security_CVE-2009-3083.patch: validate branch,
      content_type and content in libpurple/protocols/msn/slp.c and
      libpurple/protocols/msnp9/slp.c.
    - CVE-2009-3083
  * SECURITY UPDATE: denial of service via crafted contact list data
    - debian/patches/90_security_CVE-2009-3615.patch: validate contact
      list structure in libpurple/protocols/oscar/oscar.c.
    - CVE-2009-3615
  * SECURITY UPDATE: denial of service via specially formulated long
    filename (LP: #245769)
    - previous 72_SECURITY_CVE-2008-2955.patch patch was incomplete
    - debian/patches/91_security_CVE-2008-2955-2.patch: change
      src/protocols/msnp9/[slplink.c,slpcall.*] to make sure xfer structure
      still exists before putting dest_fp in it.
    - CVE-2008-2955
  * SECURITY UPDATE: arbitrary code execution via crafted MSN message
    - previous 83_security_CVE-2009-1376.patch patch was incomplete
    - debian/patches/92_security_CVE-2009-1376-2.patch: switch offset
      variable to guint64 in libpurple/protocols/msnp9/slplink.c.
    - CVE-2009-1376
  * Fix connection issue with MSN (LP: #494002)
    - debian/patches/93_msn_protocol8.patch: use protocol v8 in
      libpurple/protocols/msnp9/session.c, as it seems v9 isn't supported
      by msn anymore.

faeb939... by Chris Coulson on 2009-10-30

Import patches-unapplied version 1:2.4.1-1ubuntu2.7 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: dd3cab1f8ec8d9f80893b202e9bd8f22af3337ee

New changelog entries:
  * debian/patches/86_yahoo_protocol_fix.patch:
    - Backport upstream changes to use version 16 of the Yahoo!
      Messenger Protocol. The old authentication mechanism was
      disabled, meaning that it can no longer be used for signing in
      to Yahoo! services (LP: #389322)

dd3cab1... by Marc Deslauriers on 2009-08-19

Import patches-unapplied version 1:2.4.1-1ubuntu2.6 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: a32b16d6fc4dd07c2b3e2cf635bd2dfb75d6a683

New changelog entries:
  * SECURITY UPDATE: arbitrary code execution via crafted MSNSLP packet
     (LP: #415863)
    - debian/patches/85_security_CVE-2009-2694.patch: properly destroy
      slpmsg in libpurple/protocols/{msn,msnp9}/slplink.c.
    - CVE-2009-2694

a32b16d... by Marc Deslauriers on 2009-07-03

Import patches-unapplied version 1:2.4.1-1ubuntu2.5 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 4785d7871cb9c58abd8061309b8f214fa5bce20a

New changelog entries:
  * SECURITY UPDATE: denial of service via ICQWebMessage message type in
    OSCAR protocol. (LP: #393736)
    - debian/patches/84_security_CVE-2009-1889.patch: make the check better
      in libpurple/protocols/oscar/oscar.c, only allocate memory if len is
      valid in libpurple/protocols/oscar/bstream.c.
    - CVE-2009-1889

4785d78... by Marc Deslauriers on 2009-05-25

Import patches-unapplied version 1:2.4.1-1ubuntu2.4 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: 855e7b11fd1908cbb43bb4094d580bebbbb2119a

New changelog entries:
  * SECURITY UPDATE: denial of service or possible code execution in XMPP
    file transfer
    - debian/patches/81_security_CVE-2009-1373.patch: calculate lengths
      correctly in libpurple/protocols/jabber/si.c.
    - CVE-2009-1373
  * SECURITY UPDATE: denial of service in PurpleCircBuffer object expansion
    - debian/patches/82_security_CVE-2009-1375.patch: add an additional
      check in libpurple/circbuffer.c.
    - CVE-2009-1375
  * SECURITY UPDATE: arbitrary code execution via crafted MSN message
    - debian/patches/83_security_CVE-2009-1376.patch: switch offset
      variable to guint64 in libpurple/protocols/msn/slplink.c.
    - CVE-2009-1376

855e7b1... by Didier Roche on 2009-03-10

Import patches-unapplied version 1:2.4.1-1ubuntu2.3 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: 2a74ca509d3c168bf6a1fcfc5e7d7c6cad2a56a0

New changelog entries:
  * Apply upstream patch to fix connexion issue with new ICQ
    protocol: debian/patches/80_fix_ICQ_new_protocol.patch (LP: #340151)

2a74ca5... by Marc Deslauriers on 2008-11-21

Import patches-unapplied version 1:2.4.1-1ubuntu2.2 to ubuntu/hardy-security

Imported using git-ubuntu import.

Changelog parent: f6c0f129eb5a16fd4765ac8aab4c550bd0271bc3

New changelog entries:
  * SECURITY UPDATE: code execution via integer overflow in the MSN protocol
    handler (LP: #245770)
    - debian/patches/71_SECURITY_CVE-2008-2927.patch: fix
      msn_slplink_process_msg() in src/protocols/msn/slplink.c and src/
      protocols/msnp9/slplink.c by checking against maximum size G_MAXSIZE.
    - CVE-2008-2927
  * SECURITY UPDATE: denial of service via specially formulated long
    filename (LP: #245769)
    - debian/patches/72_SECURITY_CVE-2008-2955.patch: change
      src/protocols/msn/[slplink.c,slpcall.*] to make sure xfer structure still
      exists before putting dest_fp in it.
    - CVE-2008-2955
  * SECURITY UPDATE: denial of service via resource exhaustion from arbitrary
    URL in UPnP functionality (LP: #245769)
    - debian/patches/73_SECURITY_CVE-2008-2957.patch: modified
      libpurple/[upnp.c,util.*] to add purple_util_fetch_url_request_len() in
      order to limit http downloads to 128k.
    - CVE-2008-2957
  * SECURITY UPDATE: man in the middle attack from lack of certificate
    validation in nss plugin (LP: #251304)
    - debian/patches/74_SECURITY_CVE-2008-3532.patch: modified
      libpurple/plugins/ssl/ssl-nss.c to add certificate validation code.
    - CVE-2008-3532

f6c0f12... by Iain Lane on 2008-07-02

Import patches-unapplied version 1:2.4.1-1ubuntu2.1 to ubuntu/hardy-proposed

Imported using git-ubuntu import.

Changelog parent: eebeca352a16e1bfd9d3736d37b8a5231abf43a2

New changelog entries:
  * Apply patch from upstream to fix issue where ICQ would not connect
    (LP: #244591)