PublicDateAtUSN: 2012-01-04
Candidate: CVE-2011-4922
PublicDate: 2012-08-08 10:26:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4922
 http://www.pidgin.im/news/security/?id=50
 https://ubuntu.com/security/notices/USN-1500-1
Description:
 cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains
 encryption-key data in process memory, which might allow local users to
 obtain sensitive information by reading a core file or other representation
 of memory contents.

 It was discovered that libpurple versions prior to 2.7.10 do not properly
 clear certain data structures used in libpurple/cipher.c prior to freeing. An
 attacker could potentially extract partial information from memory regions
 freed by libpurple.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by: Julia Lawall
Assigned-to: tyhicks
CVSS: 

Patches_pidgin:
 upstream: http://hg.pidgin.im/pidgin/main/rev/8c850977cb42
upstream_pidgin: released (2.7.10-1)
hardy_pidgin: ignored (reached end-of-life)
lucid_pidgin: released (1:2.6.6-1ubuntu4.5)
maverick_pidgin: ignored (reached end-of-life)
natty_pidgin: not-affected (1:2.7.11-1ubuntu2.1)
oneiric_pidgin: not-affected (1:2.10.0-0ubuntu2)
precise_pidgin: not-affected (1:2.10.1-1ubuntu1)
devel_pidgin: not-affected (1:2.10.1-1ubuntu1)