[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1R0wC0-0006gb-W1@titan.mandriva.com>
Date: Tue, 06 Sep 2011 16:00:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2011:132 ] pidgin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:132
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pidgin
Date : September 6, 2011
Affected: 2009.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been identified and fixed in pidgin:
It was found that the gdk-pixbuf GIF image loader routine
gdk_pixbuf__gif_image_load() did not properly handle certain return
values from its subroutines. A remote attacker could provide a
specially-crafted GIF image, which, once opened in Pidgin, would lead
gdk-pixbuf to return a partially initialized pixbuf structure. Using
this structure, possibly containing a huge width and height, could
lead to the application being terminated due to excessive memory use
(CVE-2011-2485).
Certain characters in the nicknames of IRC users can trigger a
null pointer dereference in the IRC protocol plugin's handling of
responses to WHO requests. This can cause a crash on some operating
systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected
(CVE-2011-2943).
Incorrect handling of HTTP 100 responses in the MSN protocol plugin
can cause the application to attempt to access memory that it does
not have access to. This only affects users who have turned on the
HTTP connection method for their accounts (it's off by default). This
might only be triggerable by a malicious server and not a malicious
peer. We believe remote code execution is not possible (CVE-2011-3184).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
This update provides pidgin 2.10.0, which is not vulnerable to
these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184
http://pidgin.im/news/security/
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
9691deaad1615375a6c96002da7de57b 2009.0/i586/finch-2.10.0-0.1mdv2009.0.i586.rpm
eed6d45dede5d4ab8bc775d088577f8a 2009.0/i586/libfinch0-2.10.0-0.1mdv2009.0.i586.rpm
aaeffe8dfc8088f8e75e1646c8803786 2009.0/i586/libpurple0-2.10.0-0.1mdv2009.0.i586.rpm
429d026faa1969f6c7f2ee2aba74e6f4 2009.0/i586/libpurple-devel-2.10.0-0.1mdv2009.0.i586.rpm
01da4c0f516a35076222558b8c0f42c3 2009.0/i586/pidgin-2.10.0-0.1mdv2009.0.i586.rpm
54418f3845f324c46862d070f7d003d5 2009.0/i586/pidgin-bonjour-2.10.0-0.1mdv2009.0.i586.rpm
f44a27aa04c704e4f194117636d83ed7 2009.0/i586/pidgin-client-2.10.0-0.1mdv2009.0.i586.rpm
1aafb8808069d2d2fb2625b10c76e7fb 2009.0/i586/pidgin-gevolution-2.10.0-0.1mdv2009.0.i586.rpm
52027036563b73dd5eb8eacfa3ceffd0 2009.0/i586/pidgin-i18n-2.10.0-0.1mdv2009.0.i586.rpm
a5992cae2ba908cd1800dff218076838 2009.0/i586/pidgin-meanwhile-2.10.0-0.1mdv2009.0.i586.rpm
2cd0288083dcb742e7dabdc46e7cc854 2009.0/i586/pidgin-perl-2.10.0-0.1mdv2009.0.i586.rpm
43ce83b4706b90d5025f4f55c83f1e0b 2009.0/i586/pidgin-plugins-2.10.0-0.1mdv2009.0.i586.rpm
35b1cd147e3e1836ea7f7b75ab70c531 2009.0/i586/pidgin-silc-2.10.0-0.1mdv2009.0.i586.rpm
ae8ba0b0dc82d9deff4ef3bb88a4076d 2009.0/i586/pidgin-tcl-2.10.0-0.1mdv2009.0.i586.rpm
62f6a69270844338264edd3fbaa51e75 2009.0/SRPMS/pidgin-2.10.0-0.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
b119fdb620e35194b3c94e5f486feff3 2009.0/x86_64/finch-2.10.0-0.1mdv2009.0.x86_64.rpm
748d4cd30f8c1b9a83e1759a6a522568 2009.0/x86_64/lib64finch0-2.10.0-0.1mdv2009.0.x86_64.rpm
f809eae51ca1dcb9d9298db5edd03b49 2009.0/x86_64/lib64purple0-2.10.0-0.1mdv2009.0.x86_64.rpm
4779a76e384c0f80a39a86b34c59ad1b 2009.0/x86_64/lib64purple-devel-2.10.0-0.1mdv2009.0.x86_64.rpm
05b1274031920567e741278b527e8c62 2009.0/x86_64/pidgin-2.10.0-0.1mdv2009.0.x86_64.rpm
2847f0c347adaa594df6b6ad7675e600 2009.0/x86_64/pidgin-bonjour-2.10.0-0.1mdv2009.0.x86_64.rpm
a3c16b86b4060d62288a20485d53b333 2009.0/x86_64/pidgin-client-2.10.0-0.1mdv2009.0.x86_64.rpm
6ba1fd63f59ac46016641585282af002 2009.0/x86_64/pidgin-gevolution-2.10.0-0.1mdv2009.0.x86_64.rpm
8dfe86bf046bae759a82701cf115d06d 2009.0/x86_64/pidgin-i18n-2.10.0-0.1mdv2009.0.x86_64.rpm
34c0c000fd2adce18ae980bd1de89f81 2009.0/x86_64/pidgin-meanwhile-2.10.0-0.1mdv2009.0.x86_64.rpm
75289966638d58d9b4aec8c5dfe64245 2009.0/x86_64/pidgin-perl-2.10.0-0.1mdv2009.0.x86_64.rpm
c5cecff86e10fa7b2802fef7f0d9d315 2009.0/x86_64/pidgin-plugins-2.10.0-0.1mdv2009.0.x86_64.rpm
1642cc9818fed7cdfb9f673d5eab4302 2009.0/x86_64/pidgin-silc-2.10.0-0.1mdv2009.0.x86_64.rpm
0967d7160e6e972b3f918363ffc3f261 2009.0/x86_64/pidgin-tcl-2.10.0-0.1mdv2009.0.x86_64.rpm
62f6a69270844338264edd3fbaa51e75 2009.0/SRPMS/pidgin-2.10.0-0.1mdv2009.0.src.rpm
Mandriva Linux 2010.1:
ca84191afa89f8b24f415f7f81a64ab6 2010.1/i586/finch-2.10.0-0.1mdv2010.2.i586.rpm
2f15a306d87d7e24f58038bed15f97d8 2010.1/i586/libfinch0-2.10.0-0.1mdv2010.2.i586.rpm
8c909ad5f9a5bf64a9130c374b1f490b 2010.1/i586/libpurple0-2.10.0-0.1mdv2010.2.i586.rpm
f6768847952d2a37a93dc34af62dd318 2010.1/i586/libpurple-devel-2.10.0-0.1mdv2010.2.i586.rpm
fb19371071adf5c8db9a2e3b9ba56e47 2010.1/i586/pidgin-2.10.0-0.1mdv2010.2.i586.rpm
5a7ac9a7e95c7f56ed50926b26c1c859 2010.1/i586/pidgin-bonjour-2.10.0-0.1mdv2010.2.i586.rpm
925c7a754960586a47765a74df57bd80 2010.1/i586/pidgin-client-2.10.0-0.1mdv2010.2.i586.rpm
c88f5b5d394805a768313dd7776fb246 2010.1/i586/pidgin-gevolution-2.10.0-0.1mdv2010.2.i586.rpm
36a9d24e1680f3217c146cfeba1c416e 2010.1/i586/pidgin-i18n-2.10.0-0.1mdv2010.2.i586.rpm
1c9c5ec91da6e4f31bb1beee04739ad0 2010.1/i586/pidgin-meanwhile-2.10.0-0.1mdv2010.2.i586.rpm
30d630a21e4b600bb75882db455b58a9 2010.1/i586/pidgin-perl-2.10.0-0.1mdv2010.2.i586.rpm
b2f7653d2fcc2bd634ae553b9076c539 2010.1/i586/pidgin-plugins-2.10.0-0.1mdv2010.2.i586.rpm
a0bbe6b50d49176d6e4654f2afa64b5c 2010.1/i586/pidgin-silc-2.10.0-0.1mdv2010.2.i586.rpm
f858526c3c2149d6f061e2d7516ebd7a 2010.1/i586/pidgin-tcl-2.10.0-0.1mdv2010.2.i586.rpm
c54333d814cbc0dc6dec1404ea0ef26d 2010.1/SRPMS/pidgin-2.10.0-0.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
0c3cc73ffedf8baf501591e26bd609fb 2010.1/x86_64/finch-2.10.0-0.1mdv2010.2.x86_64.rpm
f60127e02a45c13e054cfb77bb2e9a73 2010.1/x86_64/lib64finch0-2.10.0-0.1mdv2010.2.x86_64.rpm
44c1f25023dda0214fce9a136792b32b 2010.1/x86_64/lib64purple0-2.10.0-0.1mdv2010.2.x86_64.rpm
1a9f994c876a0fe8c1817c5af97b525c 2010.1/x86_64/lib64purple-devel-2.10.0-0.1mdv2010.2.x86_64.rpm
472f8dbbf8144b3088cb4e0104161042 2010.1/x86_64/pidgin-2.10.0-0.1mdv2010.2.x86_64.rpm
fb3a84803c16ac3715159a716e3bb997 2010.1/x86_64/pidgin-bonjour-2.10.0-0.1mdv2010.2.x86_64.rpm
0dbc18bc4e673b591214ae2b62d2d5b9 2010.1/x86_64/pidgin-client-2.10.0-0.1mdv2010.2.x86_64.rpm
4f8dbad90a05fb09e87b30dece3a6f68 2010.1/x86_64/pidgin-gevolution-2.10.0-0.1mdv2010.2.x86_64.rpm
c08b726ba2d51eeaefad93ac05d2f009 2010.1/x86_64/pidgin-i18n-2.10.0-0.1mdv2010.2.x86_64.rpm
ea3ab9b7f0642ace5ba158fd3562175a 2010.1/x86_64/pidgin-meanwhile-2.10.0-0.1mdv2010.2.x86_64.rpm
cbfed1299c442d104e02dcdeb74cc425 2010.1/x86_64/pidgin-perl-2.10.0-0.1mdv2010.2.x86_64.rpm
5237a1adb911a6311d16762ba26e0138 2010.1/x86_64/pidgin-plugins-2.10.0-0.1mdv2010.2.x86_64.rpm
04ce4f97362aa093e160c17d11a5c849 2010.1/x86_64/pidgin-silc-2.10.0-0.1mdv2010.2.x86_64.rpm
3a0117e5d400f48d5c345b61763695b7 2010.1/x86_64/pidgin-tcl-2.10.0-0.1mdv2010.2.x86_64.rpm
c54333d814cbc0dc6dec1404ea0ef26d 2010.1/SRPMS/pidgin-2.10.0-0.1mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
560cfb4e6367c7cde341fe4fb553e8e7 mes5/i586/finch-2.10.0-0.1mdvmes5.2.i586.rpm
a252b2a98f7b27d29ef2d64c48f32382 mes5/i586/libfinch0-2.10.0-0.1mdvmes5.2.i586.rpm
f5da58f2499ef035cfcdef55db150cd5 mes5/i586/libpurple0-2.10.0-0.1mdvmes5.2.i586.rpm
477b45d5d1e29cf1daeafc741f776ee2 mes5/i586/libpurple-devel-2.10.0-0.1mdvmes5.2.i586.rpm
90e878420f4722ded1fc583a0309a7a7 mes5/i586/pidgin-2.10.0-0.1mdvmes5.2.i586.rpm
5044a66d07807dd0ebc9be40e51356db mes5/i586/pidgin-bonjour-2.10.0-0.1mdvmes5.2.i586.rpm
f3a96a6bab53d33f13c0816053d1bcae mes5/i586/pidgin-client-2.10.0-0.1mdvmes5.2.i586.rpm
89dcd52af23ca809a40faf224b3386f9 mes5/i586/pidgin-gevolution-2.10.0-0.1mdvmes5.2.i586.rpm
b921effa92a0cbf04c458ca42eedacae mes5/i586/pidgin-i18n-2.10.0-0.1mdvmes5.2.i586.rpm
ec3ea33d910ca0fe1df25a8d86961711 mes5/i586/pidgin-meanwhile-2.10.0-0.1mdvmes5.2.i586.rpm
29560febf21a5b879abc3ff6cf5a2ec2 mes5/i586/pidgin-perl-2.10.0-0.1mdvmes5.2.i586.rpm
307272b8a42864614bdabc66a7088317 mes5/i586/pidgin-plugins-2.10.0-0.1mdvmes5.2.i586.rpm
2995b52999d3701a2727ccce72adfc88 mes5/i586/pidgin-silc-2.10.0-0.1mdvmes5.2.i586.rpm
61be5df3ae9920cb3a3d4ea529d86c81 mes5/i586/pidgin-tcl-2.10.0-0.1mdvmes5.2.i586.rpm
1a76e2f620abd0a8626d67dd195cc843 mes5/SRPMS/pidgin-2.10.0-0.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
03d6a48bda57e441c03aa64853bb3c91 mes5/x86_64/finch-2.10.0-0.1mdvmes5.2.x86_64.rpm
f57761597893028206d030914d8239df mes5/x86_64/lib64finch0-2.10.0-0.1mdvmes5.2.x86_64.rpm
c6067ee33650cb39e9e364a7e8cf24a0 mes5/x86_64/lib64purple0-2.10.0-0.1mdvmes5.2.x86_64.rpm
3b7486d359849bf232738cf267a5bcdb mes5/x86_64/lib64purple-devel-2.10.0-0.1mdvmes5.2.x86_64.rpm
d09dd18646e36ba8282cb0bdb77c840b mes5/x86_64/pidgin-2.10.0-0.1mdvmes5.2.x86_64.rpm
1084298aca301a9611165c62689ddbb8 mes5/x86_64/pidgin-bonjour-2.10.0-0.1mdvmes5.2.x86_64.rpm
864180f43280b806db65aba58e210e47 mes5/x86_64/pidgin-client-2.10.0-0.1mdvmes5.2.x86_64.rpm
94a9c4489303cfd67d399a86a664fa84 mes5/x86_64/pidgin-gevolution-2.10.0-0.1mdvmes5.2.x86_64.rpm
c8ad57d2343c39457269842179d9bb18 mes5/x86_64/pidgin-i18n-2.10.0-0.1mdvmes5.2.x86_64.rpm
18c3f9c6bec24b93baec14d145347ec7 mes5/x86_64/pidgin-meanwhile-2.10.0-0.1mdvmes5.2.x86_64.rpm
a2e414b2cf6fece827d6cf0a6b0b9c69 mes5/x86_64/pidgin-perl-2.10.0-0.1mdvmes5.2.x86_64.rpm
9202e11d7d72d0a4f4cc6158c8cab595 mes5/x86_64/pidgin-plugins-2.10.0-0.1mdvmes5.2.x86_64.rpm
0d4aa63adc9682a1937b1011497ed139 mes5/x86_64/pidgin-silc-2.10.0-0.1mdvmes5.2.x86_64.rpm
00cbc42f2d0d8e4fdaba8aa9c1684d16 mes5/x86_64/pidgin-tcl-2.10.0-0.1mdvmes5.2.x86_64.rpm
1a76e2f620abd0a8626d67dd195cc843 mes5/SRPMS/pidgin-2.10.0-0.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFOZffXmqjQ0CJFipgRArXIAKCEiI4fIqhEJvtg2C4FttJx+F1i+ACgvMfO
BfSItMC3BXeRwWNlZKA6sqU=
=EpoQ
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists