lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1227548208.7339.8.camel@mdlinux.technorage.com>
Date: Mon, 24 Nov 2008 12:36:48 -0500
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [USN-675-1] Pidgin vulnerabilities

===========================================================
Ubuntu Security Notice USN-675-1          November 24, 2008
pidgin vulnerabilities
CVE-2008-2927, CVE-2008-2955, CVE-2008-2957, CVE-2008-3532
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
  pidgin                          1:2.2.1-1ubuntu4.3

Ubuntu 8.04 LTS:
  pidgin                          1:2.4.1-1ubuntu2.2

After a standard system upgrade you need to restart Pidgin to effect
the necessary changes.

Details follow:

It was discovered that Pidgin did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a specially
crafted message and possibly execute arbitrary code with user privileges.
(CVE-2008-2927)

It was discovered that Pidgin did not properly handle file transfers containing
a long filename and special characters in the MSN protocol handler. A remote
attacker could send a specially crafted filename in a file transfer request
and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)

It was discovered that Pidgin did not impose resource limitations in the UPnP
service. A remote attacker could cause Pidgin to download arbitrary files 
and cause a denial of service from memory or disk space exhaustion.
(CVE-2008-2957)

It was discovered that Pidgin did not validate SSL certificates when using a
secure connection. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information. This update alters Pidgin behaviour by asking users to confirm
the validity of a certificate upon initial login. (CVE-2008-3532)


Updated packages for Ubuntu 7.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3.diff.gz
      Size/MD5:    57978 254c333b127e6f18bf5deff2df48aace
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3.dsc
      Size/MD5:     1475 9e202c8cb64aa6f5b813c989caea7b93
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1.orig.tar.gz
      Size/MD5: 12868326 3de2ef29d4a62c515a223cba5d4c4671

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.2.1-1ubuntu4.3_all.deb
      Size/MD5:   143616 602c6c56f30d9f40013e41841d595edb
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.2.1-1ubuntu4.3_all.deb
      Size/MD5:   123834 625e7e989d6a29d8887137b407078c90
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.2.1-1ubuntu4.3_all.deb
      Size/MD5:   257634 8febe671445a717eb09809b591825416
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.2.1-1ubuntu4.3_all.deb
      Size/MD5:  1390894 5e360d9bd1b994a21e44bdd434004d42
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.2.1-1ubuntu4.3_all.deb
      Size/MD5:   201660 6844e4107ac223deaf57d022bd84540a
    http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.2.1-1ubuntu4.3_all.deb
      Size/MD5:   119274 7836e1d1c689528c1bd533e51b8b110b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_amd64.deb
      Size/MD5:   311318 fec706b32fe99bb814056899e85a30c2
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_amd64.deb
      Size/MD5:  1566428 e57dd483c64314b78811ae83afd01ab7
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_amd64.deb
      Size/MD5:  4873688 6b59077f56042c373ba0a0537766f197
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_amd64.deb
      Size/MD5:   646402 f9d51d9559dae7a65e1ad771338d7cd9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_i386.deb
      Size/MD5:   293002 767d3b4cea192f2f567bc4004e5c34ae
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_i386.deb
      Size/MD5:  1454484 051f1fe1704333c292e089d23cf1be4c
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_i386.deb
      Size/MD5:  4585518 02a2bac7b6ab2be201c1b2956cbae8af
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_i386.deb
      Size/MD5:   603628 f071b1d796ca4d7894777b7c099e00f1

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_lpia.deb
      Size/MD5:   292214 f14424242e4002dc026fd32c55fd859e
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_lpia.deb
      Size/MD5:  1432448 5db14c19c6010f2a6cb10ae39f598488
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_lpia.deb
      Size/MD5:  4890584 a443f701a66508288371508bab68613c
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_lpia.deb
      Size/MD5:   602262 78a8c49c3937cc0ec647f779b8f4a89b

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_powerpc.deb
      Size/MD5:   327048 b49ec32a017ba8eb95bdeb183a685dec
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_powerpc.deb
      Size/MD5:  1632672 cd12c695cf8694fc5dfab98d4192fa0b
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_powerpc.deb
      Size/MD5:  4843450 c483fbfca0036b0454a66231e5eb5ca4
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_powerpc.deb
      Size/MD5:   678768 fce379059fbc71ef9c0016e77092c128

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_sparc.deb
      Size/MD5:   294868 0b79ad3c17899fc7d4e374903b4433a7
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_sparc.deb
      Size/MD5:  1483770 1ca2179e7f56fb64b3ff898163149aa8
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_sparc.deb
      Size/MD5:  4447692 3b7619af602cae52a0aaf305f8ffa554
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_sparc.deb
      Size/MD5:   609750 3471725c85e7183458134e7b6f72428f

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2.diff.gz
      Size/MD5:    66731 5928aa79ba1425f6171ff2498ed82c57
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2.dsc
      Size/MD5:     1539 be09a810e567b6d5e9c0e699ea6f6d35
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1.orig.tar.gz
      Size/MD5: 13297380 25e3593d5e6bfc17911111475a057778

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.4.1-1ubuntu2.2_all.deb
      Size/MD5:    37848 cdd046022be11e393c94cd06427f1a3a
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.4.1-1ubuntu2.2_all.deb
      Size/MD5:    92034 4bb65e5ae1ce1345a8403ce45613123e
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.4.1-1ubuntu2.2_all.deb
      Size/MD5:   234266 050e32d2264f10bc4e16d43c9ef0f225
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.4.1-1ubuntu2.2_all.deb
      Size/MD5:  1328710 cbb005a2f0dc4b5bb2425d1448608863
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.4.1-1ubuntu2.2_all.deb
      Size/MD5:    72632 c724bea962c7107f16fbb1d4b837d738
    http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.4.1-1ubuntu2.2_all.deb
      Size/MD5:    86300 774f5f7e6d2a495eb272d4249d185df9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_amd64.deb
      Size/MD5:   226884 778654356ed8517a62e531967a60619a
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_amd64.deb
      Size/MD5:  1604782 0693279fa29bb9b7c104e767a9d0cf96
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_amd64.deb
      Size/MD5:  4431992 f3301cd351a4d29bbf5fca944fd52ac3
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_amd64.deb
      Size/MD5:   572144 3709481a941f530c1cfd8b18efadd367

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_i386.deb
      Size/MD5:   200878 8ea4b5d4ef47709be587bc0b30d27910
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_i386.deb
      Size/MD5:  1365460 2ba4f4606e478b325f49a6058ed09886
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_i386.deb
      Size/MD5:  4242032 90317cc00e3037e852ce3857914cf511
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_i386.deb
      Size/MD5:   517198 f7a61815aa2aff71475297cd7b76c546

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_lpia.deb
      Size/MD5:   197204 3858112dba3f65d1eb9a43d44a641226
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_lpia.deb
      Size/MD5:  1415086 d0d08032e22ac56132999a61d75f8071
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_lpia.deb
      Size/MD5:  4371468 30ef5919816607e4f2594e8fa664d02b
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_lpia.deb
      Size/MD5:   511682 85c979fcb75af48298b2652469d46a47

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_powerpc.deb
      Size/MD5:   237202 196a4925b68d32e2ad35cff8aaec3b08
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_powerpc.deb
      Size/MD5:  1633050 9d3cb75d0b064b3c321632852b01cfca
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_powerpc.deb
      Size/MD5:  4474528 bc9647e3320d694226a2a8e6f107ec02
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_powerpc.deb
      Size/MD5:   589690 56edd0928fd37d727707c056a6b2817b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_sparc.deb
      Size/MD5:   212828 72ae328af916d4e831f387092561e4ef
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_sparc.deb
      Size/MD5:  1531820 7f5759f32b810ba0d2765f881f4661dc
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_sparc.deb
      Size/MD5:  4363018 9ec1b1e8a3d8b71f47f7e49f07bc9319
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_sparc.deb
      Size/MD5:   545602 a269667a162aff2a50b482a58bb23233



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ