[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1227548208.7339.8.camel@mdlinux.technorage.com>
Date: Mon, 24 Nov 2008 12:36:48 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk,
"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [USN-675-1] Pidgin vulnerabilities
===========================================================
Ubuntu Security Notice USN-675-1 November 24, 2008
pidgin vulnerabilities
CVE-2008-2927, CVE-2008-2955, CVE-2008-2957, CVE-2008-3532
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 7.10
Ubuntu 8.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 7.10:
pidgin 1:2.2.1-1ubuntu4.3
Ubuntu 8.04 LTS:
pidgin 1:2.4.1-1ubuntu2.2
After a standard system upgrade you need to restart Pidgin to effect
the necessary changes.
Details follow:
It was discovered that Pidgin did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a specially
crafted message and possibly execute arbitrary code with user privileges.
(CVE-2008-2927)
It was discovered that Pidgin did not properly handle file transfers containing
a long filename and special characters in the MSN protocol handler. A remote
attacker could send a specially crafted filename in a file transfer request
and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)
It was discovered that Pidgin did not impose resource limitations in the UPnP
service. A remote attacker could cause Pidgin to download arbitrary files
and cause a denial of service from memory or disk space exhaustion.
(CVE-2008-2957)
It was discovered that Pidgin did not validate SSL certificates when using a
secure connection. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. This update alters Pidgin behaviour by asking users to confirm
the validity of a certificate upon initial login. (CVE-2008-3532)
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3.diff.gz
Size/MD5: 57978 254c333b127e6f18bf5deff2df48aace
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3.dsc
Size/MD5: 1475 9e202c8cb64aa6f5b813c989caea7b93
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1.orig.tar.gz
Size/MD5: 12868326 3de2ef29d4a62c515a223cba5d4c4671
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.2.1-1ubuntu4.3_all.deb
Size/MD5: 143616 602c6c56f30d9f40013e41841d595edb
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.2.1-1ubuntu4.3_all.deb
Size/MD5: 123834 625e7e989d6a29d8887137b407078c90
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.2.1-1ubuntu4.3_all.deb
Size/MD5: 257634 8febe671445a717eb09809b591825416
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.2.1-1ubuntu4.3_all.deb
Size/MD5: 1390894 5e360d9bd1b994a21e44bdd434004d42
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.2.1-1ubuntu4.3_all.deb
Size/MD5: 201660 6844e4107ac223deaf57d022bd84540a
http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.2.1-1ubuntu4.3_all.deb
Size/MD5: 119274 7836e1d1c689528c1bd533e51b8b110b
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_amd64.deb
Size/MD5: 311318 fec706b32fe99bb814056899e85a30c2
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_amd64.deb
Size/MD5: 1566428 e57dd483c64314b78811ae83afd01ab7
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_amd64.deb
Size/MD5: 4873688 6b59077f56042c373ba0a0537766f197
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_amd64.deb
Size/MD5: 646402 f9d51d9559dae7a65e1ad771338d7cd9
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_i386.deb
Size/MD5: 293002 767d3b4cea192f2f567bc4004e5c34ae
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_i386.deb
Size/MD5: 1454484 051f1fe1704333c292e089d23cf1be4c
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_i386.deb
Size/MD5: 4585518 02a2bac7b6ab2be201c1b2956cbae8af
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_i386.deb
Size/MD5: 603628 f071b1d796ca4d7894777b7c099e00f1
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_lpia.deb
Size/MD5: 292214 f14424242e4002dc026fd32c55fd859e
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_lpia.deb
Size/MD5: 1432448 5db14c19c6010f2a6cb10ae39f598488
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_lpia.deb
Size/MD5: 4890584 a443f701a66508288371508bab68613c
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_lpia.deb
Size/MD5: 602262 78a8c49c3937cc0ec647f779b8f4a89b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_powerpc.deb
Size/MD5: 327048 b49ec32a017ba8eb95bdeb183a685dec
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_powerpc.deb
Size/MD5: 1632672 cd12c695cf8694fc5dfab98d4192fa0b
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_powerpc.deb
Size/MD5: 4843450 c483fbfca0036b0454a66231e5eb5ca4
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_powerpc.deb
Size/MD5: 678768 fce379059fbc71ef9c0016e77092c128
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_sparc.deb
Size/MD5: 294868 0b79ad3c17899fc7d4e374903b4433a7
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_sparc.deb
Size/MD5: 1483770 1ca2179e7f56fb64b3ff898163149aa8
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_sparc.deb
Size/MD5: 4447692 3b7619af602cae52a0aaf305f8ffa554
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_sparc.deb
Size/MD5: 609750 3471725c85e7183458134e7b6f72428f
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2.diff.gz
Size/MD5: 66731 5928aa79ba1425f6171ff2498ed82c57
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2.dsc
Size/MD5: 1539 be09a810e567b6d5e9c0e699ea6f6d35
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1.orig.tar.gz
Size/MD5: 13297380 25e3593d5e6bfc17911111475a057778
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.4.1-1ubuntu2.2_all.deb
Size/MD5: 37848 cdd046022be11e393c94cd06427f1a3a
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.4.1-1ubuntu2.2_all.deb
Size/MD5: 92034 4bb65e5ae1ce1345a8403ce45613123e
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.4.1-1ubuntu2.2_all.deb
Size/MD5: 234266 050e32d2264f10bc4e16d43c9ef0f225
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.4.1-1ubuntu2.2_all.deb
Size/MD5: 1328710 cbb005a2f0dc4b5bb2425d1448608863
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.4.1-1ubuntu2.2_all.deb
Size/MD5: 72632 c724bea962c7107f16fbb1d4b837d738
http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.4.1-1ubuntu2.2_all.deb
Size/MD5: 86300 774f5f7e6d2a495eb272d4249d185df9
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_amd64.deb
Size/MD5: 226884 778654356ed8517a62e531967a60619a
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_amd64.deb
Size/MD5: 1604782 0693279fa29bb9b7c104e767a9d0cf96
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_amd64.deb
Size/MD5: 4431992 f3301cd351a4d29bbf5fca944fd52ac3
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_amd64.deb
Size/MD5: 572144 3709481a941f530c1cfd8b18efadd367
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_i386.deb
Size/MD5: 200878 8ea4b5d4ef47709be587bc0b30d27910
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_i386.deb
Size/MD5: 1365460 2ba4f4606e478b325f49a6058ed09886
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_i386.deb
Size/MD5: 4242032 90317cc00e3037e852ce3857914cf511
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_i386.deb
Size/MD5: 517198 f7a61815aa2aff71475297cd7b76c546
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_lpia.deb
Size/MD5: 197204 3858112dba3f65d1eb9a43d44a641226
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_lpia.deb
Size/MD5: 1415086 d0d08032e22ac56132999a61d75f8071
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_lpia.deb
Size/MD5: 4371468 30ef5919816607e4f2594e8fa664d02b
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_lpia.deb
Size/MD5: 511682 85c979fcb75af48298b2652469d46a47
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_powerpc.deb
Size/MD5: 237202 196a4925b68d32e2ad35cff8aaec3b08
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_powerpc.deb
Size/MD5: 1633050 9d3cb75d0b064b3c321632852b01cfca
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_powerpc.deb
Size/MD5: 4474528 bc9647e3320d694226a2a8e6f107ec02
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_powerpc.deb
Size/MD5: 589690 56edd0928fd37d727707c056a6b2817b
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_sparc.deb
Size/MD5: 212828 72ae328af916d4e831f387092561e4ef
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_sparc.deb
Size/MD5: 1531820 7f5759f32b810ba0d2765f881f4661dc
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_sparc.deb
Size/MD5: 4363018 9ec1b1e8a3d8b71f47f7e49f07bc9319
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_sparc.deb
Size/MD5: 545602 a269667a162aff2a50b482a58bb23233
Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists