Bug 989989 (CVE-2016-1000030)

Summary:	VUL-0: CVE-2016-1000030: pidgin: X.509 Certificates improperly imported
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Johannes Segitz <jsegitz>
Component:	Incidents	Assignee:	Felix Zhang <fezhang>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	fezhang, meissner, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/171084/
Whiteboard:	CVSSv2:RedHat:CVE-2016-1000030:2.6:(AV:N/AC:H/Au:N/C:N/I:P/A:N) CVSSv2:SUSE:CVE-2016-1000030:4.0:(AV:N/AC:H/Au:N/C:P/I:P/A:N)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Johannes Segitz 2016-07-21 12:16:44 UTC

rh#1348882

X.509 certificates may be improperly imported when using GnuTLS.

Fix: https://bitbucket.org/pidgin/main/commits/d6fc1ce76ffe

References:
http://www.pidgin.im/news/security/?id=91
https://bugzilla.redhat.com/show_bug.cgi?id=1348882
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000030

Comment 1 Felix Zhang 2016-07-21 12:46:43 UTC

vulnerability confirmed on SLE12 but not SLE11. Will work on it.

Comment 2 Felix Zhang 2016-07-21 12:50:20 UTC

(In reply to Felix Zhang from comment #1)
> vulnerability confirmed on SLE12 but not SLE11. Will work on it.

Correct to myself. The vulnerability is fixed in pidgin 2.11.0. Which has been pushed to SUSE:SLE-12-SP2:GA

Comment 3 Felix Zhang 2016-09-12 13:07:46 UTC

As in previous comment. SLE11 and SLE12SP2 are not affected.

Comment 4 Johannes Segitz 2018-06-11 11:42:00 UTC

(In reply to Felix Zhang from comment #3)
then we can close this, fixed in current products