lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1R4u0y-0004gi-Pp@titan.mandriva.com>
Date: Sat, 17 Sep 2011 14:29:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2011:132-1 ] pidgin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                       MDVSA-2011:132-1
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : September 17, 2011
 Affected: 2011.
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been identified and fixed in pidgin:
 
 It was found that the gdk-pixbuf GIF image loader routine
 gdk_pixbuf__gif_image_load() did not properly handle certain return
 values from its subroutines. A remote attacker could provide a
 specially-crafted GIF image, which, once opened in Pidgin, would lead
 gdk-pixbuf to return a partially initialized pixbuf structure. Using
 this structure, possibly containing a huge width and height, could
 lead to the application being terminated due to excessive memory use
 (CVE-2011-2485).
 
 Certain characters in the nicknames of IRC users can trigger a
 null pointer dereference in the IRC protocol plugin&#039;s handling of
 responses to WHO requests. This can cause a crash on some operating
 systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected
 (CVE-2011-2943).
 
 Incorrect handling of HTTP 100 responses in the MSN protocol plugin
 can cause the application to attempt to access memory that it does
 not have access to. This only affects users who have turned on the
 HTTP connection method for their accounts (it&#039;s off by default). This
 might only be triggerable by a malicious server and not a malicious
 peer. We believe remote code execution is not possible (CVE-2011-3184).
 
 This update provides pidgin 2.10.0, which is not vulnerable to
 these issues.

 Update:

 Packages for Mandriva Linux 2011 is now being provided as well. Enjoy!
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184
 http://pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2011:
 f30d9eb8784ecc490e9267a3afd9681d  2011/i586/finch-2.10.0-0.1-mdv2011.0.i586.rpm
 c3cef6e7db660c78a52241d427fe67c6  2011/i586/libfinch0-2.10.0-0.1-mdv2011.0.i586.rpm
 b1bda00d68d706954d0a23ff13053bbe  2011/i586/libpurple0-2.10.0-0.1-mdv2011.0.i586.rpm
 b1e05edaa2a234697a8618da370a5eba  2011/i586/libpurple-devel-2.10.0-0.1-mdv2011.0.i586.rpm
 e8a6321eabf0e88b13a7121e06f88588  2011/i586/pidgin-2.10.0-0.1-mdv2011.0.i586.rpm
 df8b6157762c34972b26959e9e0b8670  2011/i586/pidgin-bonjour-2.10.0-0.1-mdv2011.0.i586.rpm
 323307becdb33612085c108356de0fe0  2011/i586/pidgin-client-2.10.0-0.1-mdv2011.0.i586.rpm
 4ff033d530ce6925dc5c3c9516f0f71e  2011/i586/pidgin-gevolution-2.10.0-0.1-mdv2011.0.i586.rpm
 e7282726de99c169675a927ee87e318d  2011/i586/pidgin-i18n-2.10.0-0.1-mdv2011.0.i586.rpm
 5b0d0784b39a4fb7fb179e5083a4f0f6  2011/i586/pidgin-meanwhile-2.10.0-0.1-mdv2011.0.i586.rpm
 0f3fbed0cdbb0cb9c0d8621d821d34c8  2011/i586/pidgin-perl-2.10.0-0.1-mdv2011.0.i586.rpm
 9117f4f6cd51b274ebfe32b8df1355fb  2011/i586/pidgin-plugins-2.10.0-0.1-mdv2011.0.i586.rpm
 da47178daab129eac1b2d334330ebe9b  2011/i586/pidgin-silc-2.10.0-0.1-mdv2011.0.i586.rpm
 c694a44d5051390026fa75b7b71ad0a8  2011/i586/pidgin-tcl-2.10.0-0.1-mdv2011.0.i586.rpm 
 c33eef6270b588ee33df4ddaa968eab3  2011/SRPMS/pidgin-2.10.0-0.1.src.rpm

 Mandriva Linux 2011/X86_64:
 7cd751354229ed6dec93d7ec652758f7  2011/x86_64/finch-2.10.0-0.1-mdv2011.0.x86_64.rpm
 14af8584523addd64e870ac6deb71bb6  2011/x86_64/lib64finch0-2.10.0-0.1-mdv2011.0.x86_64.rpm
 fb55c6c1c349145794147f4e5e855f63  2011/x86_64/lib64purple0-2.10.0-0.1-mdv2011.0.x86_64.rpm
 676eea02b713243dd259edac8260eaaf  2011/x86_64/lib64purple-devel-2.10.0-0.1-mdv2011.0.x86_64.rpm
 de0cda6937539b552c605bb02547a606  2011/x86_64/pidgin-2.10.0-0.1-mdv2011.0.x86_64.rpm
 c50b5acc263a44cfcfde9aba892aefb8  2011/x86_64/pidgin-bonjour-2.10.0-0.1-mdv2011.0.x86_64.rpm
 95445621358bebfe246778e3195bd496  2011/x86_64/pidgin-client-2.10.0-0.1-mdv2011.0.x86_64.rpm
 d32ef3d0c5f3e030dfe931cc11fcd0e5  2011/x86_64/pidgin-gevolution-2.10.0-0.1-mdv2011.0.x86_64.rpm
 65ba1b2ee488d746fa45568d08f1ec6d  2011/x86_64/pidgin-i18n-2.10.0-0.1-mdv2011.0.x86_64.rpm
 371e329ab6aa9f90131b37d971bb0520  2011/x86_64/pidgin-meanwhile-2.10.0-0.1-mdv2011.0.x86_64.rpm
 2956fd8520f7a92cff7345d85b71f6a3  2011/x86_64/pidgin-perl-2.10.0-0.1-mdv2011.0.x86_64.rpm
 11c8e87c57ecbee206b18e94dd2b0e7a  2011/x86_64/pidgin-plugins-2.10.0-0.1-mdv2011.0.x86_64.rpm
 e1bf5b177d8f0c2e2107702dc14d55e5  2011/x86_64/pidgin-silc-2.10.0-0.1-mdv2011.0.x86_64.rpm
 79fbeed99bac330be3028501122997af  2011/x86_64/pidgin-tcl-2.10.0-0.1-mdv2011.0.x86_64.rpm 
 c33eef6270b588ee33df4ddaa968eab3  2011/SRPMS/pidgin-2.10.0-0.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOdGhbmqjQ0CJFipgRAoq8AJ9Pbp2Bmq3TX9+DCZ1R6jYxA3E3wACgtpVd
z6JYlgJxgBisXqUFlmviPkc=
=wwem
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ