lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1R0wC0-0006gb-W1@titan.mandriva.com>
Date: Tue, 06 Sep 2011 16:00:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2011:132 ] pidgin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2011:132
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : September 6, 2011
 Affected: 2009.0, 2010.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been identified and fixed in pidgin:
 
 It was found that the gdk-pixbuf GIF image loader routine
 gdk_pixbuf__gif_image_load() did not properly handle certain return
 values from its subroutines. A remote attacker could provide a
 specially-crafted GIF image, which, once opened in Pidgin, would lead
 gdk-pixbuf to return a partially initialized pixbuf structure. Using
 this structure, possibly containing a huge width and height, could
 lead to the application being terminated due to excessive memory use
 (CVE-2011-2485).
 
 Certain characters in the nicknames of IRC users can trigger a
 null pointer dereference in the IRC protocol plugin&#039;s handling of
 responses to WHO requests. This can cause a crash on some operating
 systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected
 (CVE-2011-2943).
 
 Incorrect handling of HTTP 100 responses in the MSN protocol plugin
 can cause the application to attempt to access memory that it does
 not have access to. This only affects users who have turned on the
 HTTP connection method for their accounts (it&#039;s off by default). This
 might only be triggerable by a malicious server and not a malicious
 peer. We believe remote code execution is not possible (CVE-2011-3184).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=490
 
 This update provides pidgin 2.10.0, which is not vulnerable to
 these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184
 http://pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 9691deaad1615375a6c96002da7de57b  2009.0/i586/finch-2.10.0-0.1mdv2009.0.i586.rpm
 eed6d45dede5d4ab8bc775d088577f8a  2009.0/i586/libfinch0-2.10.0-0.1mdv2009.0.i586.rpm
 aaeffe8dfc8088f8e75e1646c8803786  2009.0/i586/libpurple0-2.10.0-0.1mdv2009.0.i586.rpm
 429d026faa1969f6c7f2ee2aba74e6f4  2009.0/i586/libpurple-devel-2.10.0-0.1mdv2009.0.i586.rpm
 01da4c0f516a35076222558b8c0f42c3  2009.0/i586/pidgin-2.10.0-0.1mdv2009.0.i586.rpm
 54418f3845f324c46862d070f7d003d5  2009.0/i586/pidgin-bonjour-2.10.0-0.1mdv2009.0.i586.rpm
 f44a27aa04c704e4f194117636d83ed7  2009.0/i586/pidgin-client-2.10.0-0.1mdv2009.0.i586.rpm
 1aafb8808069d2d2fb2625b10c76e7fb  2009.0/i586/pidgin-gevolution-2.10.0-0.1mdv2009.0.i586.rpm
 52027036563b73dd5eb8eacfa3ceffd0  2009.0/i586/pidgin-i18n-2.10.0-0.1mdv2009.0.i586.rpm
 a5992cae2ba908cd1800dff218076838  2009.0/i586/pidgin-meanwhile-2.10.0-0.1mdv2009.0.i586.rpm
 2cd0288083dcb742e7dabdc46e7cc854  2009.0/i586/pidgin-perl-2.10.0-0.1mdv2009.0.i586.rpm
 43ce83b4706b90d5025f4f55c83f1e0b  2009.0/i586/pidgin-plugins-2.10.0-0.1mdv2009.0.i586.rpm
 35b1cd147e3e1836ea7f7b75ab70c531  2009.0/i586/pidgin-silc-2.10.0-0.1mdv2009.0.i586.rpm
 ae8ba0b0dc82d9deff4ef3bb88a4076d  2009.0/i586/pidgin-tcl-2.10.0-0.1mdv2009.0.i586.rpm 
 62f6a69270844338264edd3fbaa51e75  2009.0/SRPMS/pidgin-2.10.0-0.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 b119fdb620e35194b3c94e5f486feff3  2009.0/x86_64/finch-2.10.0-0.1mdv2009.0.x86_64.rpm
 748d4cd30f8c1b9a83e1759a6a522568  2009.0/x86_64/lib64finch0-2.10.0-0.1mdv2009.0.x86_64.rpm
 f809eae51ca1dcb9d9298db5edd03b49  2009.0/x86_64/lib64purple0-2.10.0-0.1mdv2009.0.x86_64.rpm
 4779a76e384c0f80a39a86b34c59ad1b  2009.0/x86_64/lib64purple-devel-2.10.0-0.1mdv2009.0.x86_64.rpm
 05b1274031920567e741278b527e8c62  2009.0/x86_64/pidgin-2.10.0-0.1mdv2009.0.x86_64.rpm
 2847f0c347adaa594df6b6ad7675e600  2009.0/x86_64/pidgin-bonjour-2.10.0-0.1mdv2009.0.x86_64.rpm
 a3c16b86b4060d62288a20485d53b333  2009.0/x86_64/pidgin-client-2.10.0-0.1mdv2009.0.x86_64.rpm
 6ba1fd63f59ac46016641585282af002  2009.0/x86_64/pidgin-gevolution-2.10.0-0.1mdv2009.0.x86_64.rpm
 8dfe86bf046bae759a82701cf115d06d  2009.0/x86_64/pidgin-i18n-2.10.0-0.1mdv2009.0.x86_64.rpm
 34c0c000fd2adce18ae980bd1de89f81  2009.0/x86_64/pidgin-meanwhile-2.10.0-0.1mdv2009.0.x86_64.rpm
 75289966638d58d9b4aec8c5dfe64245  2009.0/x86_64/pidgin-perl-2.10.0-0.1mdv2009.0.x86_64.rpm
 c5cecff86e10fa7b2802fef7f0d9d315  2009.0/x86_64/pidgin-plugins-2.10.0-0.1mdv2009.0.x86_64.rpm
 1642cc9818fed7cdfb9f673d5eab4302  2009.0/x86_64/pidgin-silc-2.10.0-0.1mdv2009.0.x86_64.rpm
 0967d7160e6e972b3f918363ffc3f261  2009.0/x86_64/pidgin-tcl-2.10.0-0.1mdv2009.0.x86_64.rpm 
 62f6a69270844338264edd3fbaa51e75  2009.0/SRPMS/pidgin-2.10.0-0.1mdv2009.0.src.rpm

 Mandriva Linux 2010.1:
 ca84191afa89f8b24f415f7f81a64ab6  2010.1/i586/finch-2.10.0-0.1mdv2010.2.i586.rpm
 2f15a306d87d7e24f58038bed15f97d8  2010.1/i586/libfinch0-2.10.0-0.1mdv2010.2.i586.rpm
 8c909ad5f9a5bf64a9130c374b1f490b  2010.1/i586/libpurple0-2.10.0-0.1mdv2010.2.i586.rpm
 f6768847952d2a37a93dc34af62dd318  2010.1/i586/libpurple-devel-2.10.0-0.1mdv2010.2.i586.rpm
 fb19371071adf5c8db9a2e3b9ba56e47  2010.1/i586/pidgin-2.10.0-0.1mdv2010.2.i586.rpm
 5a7ac9a7e95c7f56ed50926b26c1c859  2010.1/i586/pidgin-bonjour-2.10.0-0.1mdv2010.2.i586.rpm
 925c7a754960586a47765a74df57bd80  2010.1/i586/pidgin-client-2.10.0-0.1mdv2010.2.i586.rpm
 c88f5b5d394805a768313dd7776fb246  2010.1/i586/pidgin-gevolution-2.10.0-0.1mdv2010.2.i586.rpm
 36a9d24e1680f3217c146cfeba1c416e  2010.1/i586/pidgin-i18n-2.10.0-0.1mdv2010.2.i586.rpm
 1c9c5ec91da6e4f31bb1beee04739ad0  2010.1/i586/pidgin-meanwhile-2.10.0-0.1mdv2010.2.i586.rpm
 30d630a21e4b600bb75882db455b58a9  2010.1/i586/pidgin-perl-2.10.0-0.1mdv2010.2.i586.rpm
 b2f7653d2fcc2bd634ae553b9076c539  2010.1/i586/pidgin-plugins-2.10.0-0.1mdv2010.2.i586.rpm
 a0bbe6b50d49176d6e4654f2afa64b5c  2010.1/i586/pidgin-silc-2.10.0-0.1mdv2010.2.i586.rpm
 f858526c3c2149d6f061e2d7516ebd7a  2010.1/i586/pidgin-tcl-2.10.0-0.1mdv2010.2.i586.rpm 
 c54333d814cbc0dc6dec1404ea0ef26d  2010.1/SRPMS/pidgin-2.10.0-0.1mdv2010.2.src.rpm

 Mandriva Linux 2010.1/X86_64:
 0c3cc73ffedf8baf501591e26bd609fb  2010.1/x86_64/finch-2.10.0-0.1mdv2010.2.x86_64.rpm
 f60127e02a45c13e054cfb77bb2e9a73  2010.1/x86_64/lib64finch0-2.10.0-0.1mdv2010.2.x86_64.rpm
 44c1f25023dda0214fce9a136792b32b  2010.1/x86_64/lib64purple0-2.10.0-0.1mdv2010.2.x86_64.rpm
 1a9f994c876a0fe8c1817c5af97b525c  2010.1/x86_64/lib64purple-devel-2.10.0-0.1mdv2010.2.x86_64.rpm
 472f8dbbf8144b3088cb4e0104161042  2010.1/x86_64/pidgin-2.10.0-0.1mdv2010.2.x86_64.rpm
 fb3a84803c16ac3715159a716e3bb997  2010.1/x86_64/pidgin-bonjour-2.10.0-0.1mdv2010.2.x86_64.rpm
 0dbc18bc4e673b591214ae2b62d2d5b9  2010.1/x86_64/pidgin-client-2.10.0-0.1mdv2010.2.x86_64.rpm
 4f8dbad90a05fb09e87b30dece3a6f68  2010.1/x86_64/pidgin-gevolution-2.10.0-0.1mdv2010.2.x86_64.rpm
 c08b726ba2d51eeaefad93ac05d2f009  2010.1/x86_64/pidgin-i18n-2.10.0-0.1mdv2010.2.x86_64.rpm
 ea3ab9b7f0642ace5ba158fd3562175a  2010.1/x86_64/pidgin-meanwhile-2.10.0-0.1mdv2010.2.x86_64.rpm
 cbfed1299c442d104e02dcdeb74cc425  2010.1/x86_64/pidgin-perl-2.10.0-0.1mdv2010.2.x86_64.rpm
 5237a1adb911a6311d16762ba26e0138  2010.1/x86_64/pidgin-plugins-2.10.0-0.1mdv2010.2.x86_64.rpm
 04ce4f97362aa093e160c17d11a5c849  2010.1/x86_64/pidgin-silc-2.10.0-0.1mdv2010.2.x86_64.rpm
 3a0117e5d400f48d5c345b61763695b7  2010.1/x86_64/pidgin-tcl-2.10.0-0.1mdv2010.2.x86_64.rpm 
 c54333d814cbc0dc6dec1404ea0ef26d  2010.1/SRPMS/pidgin-2.10.0-0.1mdv2010.2.src.rpm

 Mandriva Enterprise Server 5:
 560cfb4e6367c7cde341fe4fb553e8e7  mes5/i586/finch-2.10.0-0.1mdvmes5.2.i586.rpm
 a252b2a98f7b27d29ef2d64c48f32382  mes5/i586/libfinch0-2.10.0-0.1mdvmes5.2.i586.rpm
 f5da58f2499ef035cfcdef55db150cd5  mes5/i586/libpurple0-2.10.0-0.1mdvmes5.2.i586.rpm
 477b45d5d1e29cf1daeafc741f776ee2  mes5/i586/libpurple-devel-2.10.0-0.1mdvmes5.2.i586.rpm
 90e878420f4722ded1fc583a0309a7a7  mes5/i586/pidgin-2.10.0-0.1mdvmes5.2.i586.rpm
 5044a66d07807dd0ebc9be40e51356db  mes5/i586/pidgin-bonjour-2.10.0-0.1mdvmes5.2.i586.rpm
 f3a96a6bab53d33f13c0816053d1bcae  mes5/i586/pidgin-client-2.10.0-0.1mdvmes5.2.i586.rpm
 89dcd52af23ca809a40faf224b3386f9  mes5/i586/pidgin-gevolution-2.10.0-0.1mdvmes5.2.i586.rpm
 b921effa92a0cbf04c458ca42eedacae  mes5/i586/pidgin-i18n-2.10.0-0.1mdvmes5.2.i586.rpm
 ec3ea33d910ca0fe1df25a8d86961711  mes5/i586/pidgin-meanwhile-2.10.0-0.1mdvmes5.2.i586.rpm
 29560febf21a5b879abc3ff6cf5a2ec2  mes5/i586/pidgin-perl-2.10.0-0.1mdvmes5.2.i586.rpm
 307272b8a42864614bdabc66a7088317  mes5/i586/pidgin-plugins-2.10.0-0.1mdvmes5.2.i586.rpm
 2995b52999d3701a2727ccce72adfc88  mes5/i586/pidgin-silc-2.10.0-0.1mdvmes5.2.i586.rpm
 61be5df3ae9920cb3a3d4ea529d86c81  mes5/i586/pidgin-tcl-2.10.0-0.1mdvmes5.2.i586.rpm 
 1a76e2f620abd0a8626d67dd195cc843  mes5/SRPMS/pidgin-2.10.0-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 03d6a48bda57e441c03aa64853bb3c91  mes5/x86_64/finch-2.10.0-0.1mdvmes5.2.x86_64.rpm
 f57761597893028206d030914d8239df  mes5/x86_64/lib64finch0-2.10.0-0.1mdvmes5.2.x86_64.rpm
 c6067ee33650cb39e9e364a7e8cf24a0  mes5/x86_64/lib64purple0-2.10.0-0.1mdvmes5.2.x86_64.rpm
 3b7486d359849bf232738cf267a5bcdb  mes5/x86_64/lib64purple-devel-2.10.0-0.1mdvmes5.2.x86_64.rpm
 d09dd18646e36ba8282cb0bdb77c840b  mes5/x86_64/pidgin-2.10.0-0.1mdvmes5.2.x86_64.rpm
 1084298aca301a9611165c62689ddbb8  mes5/x86_64/pidgin-bonjour-2.10.0-0.1mdvmes5.2.x86_64.rpm
 864180f43280b806db65aba58e210e47  mes5/x86_64/pidgin-client-2.10.0-0.1mdvmes5.2.x86_64.rpm
 94a9c4489303cfd67d399a86a664fa84  mes5/x86_64/pidgin-gevolution-2.10.0-0.1mdvmes5.2.x86_64.rpm
 c8ad57d2343c39457269842179d9bb18  mes5/x86_64/pidgin-i18n-2.10.0-0.1mdvmes5.2.x86_64.rpm
 18c3f9c6bec24b93baec14d145347ec7  mes5/x86_64/pidgin-meanwhile-2.10.0-0.1mdvmes5.2.x86_64.rpm
 a2e414b2cf6fece827d6cf0a6b0b9c69  mes5/x86_64/pidgin-perl-2.10.0-0.1mdvmes5.2.x86_64.rpm
 9202e11d7d72d0a4f4cc6158c8cab595  mes5/x86_64/pidgin-plugins-2.10.0-0.1mdvmes5.2.x86_64.rpm
 0d4aa63adc9682a1937b1011497ed139  mes5/x86_64/pidgin-silc-2.10.0-0.1mdvmes5.2.x86_64.rpm
 00cbc42f2d0d8e4fdaba8aa9c1684d16  mes5/x86_64/pidgin-tcl-2.10.0-0.1mdvmes5.2.x86_64.rpm 
 1a76e2f620abd0a8626d67dd195cc843  mes5/SRPMS/pidgin-2.10.0-0.1mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFOZffXmqjQ0CJFipgRArXIAKCEiI4fIqhEJvtg2C4FttJx+F1i+ACgvMfO
BfSItMC3BXeRwWNlZKA6sqU=
=EpoQ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ