[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1244038819.12402.1.camel@mdlinux.technorage.com>
Date: Wed, 03 Jun 2009 10:20:19 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-781-1] Pidgin vulnerabilities
===========================================================
Ubuntu Security Notice USN-781-1 June 03, 2009
pidgin vulnerabilities
CVE-2009-1373, CVE-2009-1374, CVE-2009-1375, CVE-2009-1376
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.04 LTS:
pidgin 1:2.4.1-1ubuntu2.4
Ubuntu 8.10:
pidgin 1:2.5.2-0ubuntu1.2
Ubuntu 9.04:
pidgin 1:2.5.5-1ubuntu8.1
After a standard system upgrade you need to restart Pidgin to effect
the necessary changes.
Details follow:
It was discovered that Pidgin did not properly handle certain malformed
messages when sending a file using the XMPP protocol handler. If a user
were tricked into sending a file, a remote attacker could send a specially
crafted response and cause Pidgin to crash, or possibly execute arbitrary
code with user privileges. (CVE-2009-1373)
It was discovered that Pidgin did not properly handle certain malformed
messages in the QQ protocol handler. A remote attacker could send a
specially crafted message and cause Pidgin to crash. This issue only
affected Ubuntu 8.10 and 9.04. (CVE-2009-1374)
It was discovered that Pidgin did not properly handle certain malformed
messages in the XMPP and Sametime protocol handlers. A remote attacker
could send a specially crafted message and cause Pidgin to crash.
(CVE-2009-1375)
It was discovered that Pidgin did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a
specially crafted message and possibly execute arbitrary code with user
privileges. (CVE-2009-1376)
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4.diff.gz
Size/MD5: 68347 9be15621e9a9801a31b8ae6e4b82e0db
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4.dsc
Size/MD5: 1539 7975b51e7a1d4c996282f51a584e0124
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1.orig.tar.gz
Size/MD5: 13297380 25e3593d5e6bfc17911111475a057778
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.4.1-1ubuntu2.4_all.deb
Size/MD5: 37846 9c9c3f7775b089058bf603e28bd89240
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.4.1-1ubuntu2.4_all.deb
Size/MD5: 92352 ed5c3b2560b070733f7385d6a337f155
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.4.1-1ubuntu2.4_all.deb
Size/MD5: 234514 e3dc4721dcf091410a41e3d9faf807a6
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.4.1-1ubuntu2.4_all.deb
Size/MD5: 1328934 93a62c9f2fd928c3ff1fafca325f3b50
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.4.1-1ubuntu2.4_all.deb
Size/MD5: 72638 8ad1fef0587ccbf626eb44587ba20e16
http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.4.1-1ubuntu2.4_all.deb
Size/MD5: 86574 82e3c5c4361510f90b6ae8ea1efd15f6
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_amd64.deb
Size/MD5: 226874 aa753567d7edd194332eb2bfa8fd60ff
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_amd64.deb
Size/MD5: 1604862 dbcc4128429686bfa835d563e6570e26
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_amd64.deb
Size/MD5: 4432628 0b9baad686d3e5e1235c7996d104273a
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_amd64.deb
Size/MD5: 572090 d0bad2b9275b71af32231f5248393d12
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_i386.deb
Size/MD5: 200862 da71501bc4468b027e3d00dd03f607aa
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_i386.deb
Size/MD5: 1365220 3853002c7d926ae93163c4bb1cead9b2
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_i386.deb
Size/MD5: 4242680 17ba46fc81a67a4e8daa78a0e24881ca
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_i386.deb
Size/MD5: 517126 a1728b5ffb4c858df3a3696880ac2866
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_lpia.deb
Size/MD5: 197196 52fba9ae4400e779d792c3fac02afbc5
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_lpia.deb
Size/MD5: 1415190 725ae9563bb29f71a33e21f51dbafe91
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_lpia.deb
Size/MD5: 4372348 467c8f22104d8a7510f17720f92849c8
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_lpia.deb
Size/MD5: 511654 bc9a49261f7fd4d42e7fcb15f9cf61d8
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_powerpc.deb
Size/MD5: 237204 df93dfb31597cb65766e9def9514fbb5
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_powerpc.deb
Size/MD5: 1633562 5923438d1915040c9550ce705aa24212
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_powerpc.deb
Size/MD5: 4475570 d0a2ee70257e289b79529cfe87c375e0
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_powerpc.deb
Size/MD5: 589648 9807242929f9afb819fc4fdd6285d811
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_sparc.deb
Size/MD5: 212830 3176346be35b75d951a6960c1ac62333
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_sparc.deb
Size/MD5: 1531840 06b53e84b93d41585eeb2f0ebe572bc7
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_sparc.deb
Size/MD5: 4363738 0d1d086c4b15c87d0165bfb02ec80e29
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_sparc.deb
Size/MD5: 545626 ae8b3edc96a5a578271671652b7f0afd
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2.diff.gz
Size/MD5: 60192 538fa71576474dc52288fcbb6b40581a
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2.dsc
Size/MD5: 1995 554c6183486df7af4c9d3929e5f54263
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2.orig.tar.gz
Size/MD5: 11642659 3ad83133a2381087cbdddf42ba5d6ecf
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.5.2-0ubuntu1.2_all.deb
Size/MD5: 38224 65b54c109e1d8ae04104da36e5806c18
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.5.2-0ubuntu1.2_all.deb
Size/MD5: 94868 f2f3cc3410268e74487fa16fb3d410ed
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.5.2-0ubuntu1.2_all.deb
Size/MD5: 242302 4ef3557231e12e7cf34bcb249109034f
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.5.2-0ubuntu1.2_all.deb
Size/MD5: 1106854 5c9bc67c07da0c8e633970d1e9db3f48
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.5.2-0ubuntu1.2_all.deb
Size/MD5: 1357176 ed07a18f8bdc63fa953c74b0c175e50f
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_amd64.deb
Size/MD5: 230066 d4c2dc45b4a32f8f8d6da9f6086af24e
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_amd64.deb
Size/MD5: 1754456 fe7611e988e8d22a65abbe1301d2965b
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_amd64.deb
Size/MD5: 4660352 66cca2215df947143266932d10af883f
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_amd64.deb
Size/MD5: 613956 adfbc24ab8c5eb3b21bb7f628c61bdce
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_i386.deb
Size/MD5: 204004 0e0d344adeda941342d8fb7867668dbf
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_i386.deb
Size/MD5: 1503322 8f66c12c95d7c552309ae57dd043a29a
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_i386.deb
Size/MD5: 4464482 1e3f00d26b6e416bd75bf695ce1e09c0
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_i386.deb
Size/MD5: 559582 0fb6713e8965f9b9eca4d74eaf7ae7a9
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_lpia.deb
Size/MD5: 200664 2d974ab524d81fc118471ae19e1c8937
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_lpia.deb
Size/MD5: 1552110 c4f9431b8bdadbec7fb5e408fcd1acfc
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_lpia.deb
Size/MD5: 4599180 d9064f44228e108cb661bd7906ab7386
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_lpia.deb
Size/MD5: 553788 c9f8e5422da2e8e6576f39db4cd2085d
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_powerpc.deb
Size/MD5: 235480 d9ee88f9545b7b58db2cd68fe6a8066b
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_powerpc.deb
Size/MD5: 1790404 c1b95833f5bb7324267dd5155d950441
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_powerpc.deb
Size/MD5: 4684942 acb33467a37ed8f102ebde7054c946d6
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_powerpc.deb
Size/MD5: 619564 4bfd7a4e496b8647071846ad0616657a
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_sparc.deb
Size/MD5: 217318 cdbd481faa314f8ba35f35a475a42795
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_sparc.deb
Size/MD5: 1682664 fab2a1a49a81a68ae6a93616bd570555
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_sparc.deb
Size/MD5: 4586562 d459d38877c2249fc561b77732f9b79e
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_sparc.deb
Size/MD5: 590732 a0fc31cd9e06ba80c350e0a9b7f80c03
Updated packages for Ubuntu 9.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1.diff.gz
Size/MD5: 64524 fee7dadd7a38c04558ab4c09d5f42aa1
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1.dsc
Size/MD5: 1932 0fb4cdde59be102a856ab10e00b8e043
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5.orig.tar.gz
Size/MD5: 11989031 08d9c0c8dd43dbcec6f67d8ba596029f
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.5.5-1ubuntu8.1_all.deb
Size/MD5: 38446 aef71d1ba6b6c7e8049e89ccc1bd88bb
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.5.5-1ubuntu8.1_all.deb
Size/MD5: 97200 049318fbf3c736bf1832dbfd6dedde2c
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.5.5-1ubuntu8.1_all.deb
Size/MD5: 245162 1726a391577683475060704eb55bdf9a
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.5.5-1ubuntu8.1_all.deb
Size/MD5: 1150574 431c7d4325133491b6e1fa688c4a9242
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.5.5-1ubuntu8.1_all.deb
Size/MD5: 1371370 5e90e70e80ed5e0b7f36695464c5f72a
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_amd64.deb
Size/MD5: 235086 6d2fce235edeb7a32a7a86c57a71b2ed
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_amd64.deb
Size/MD5: 1803258 2304c36adbcfc8349a4a3952808a2bb8
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_amd64.deb
Size/MD5: 5845696 c8594eceb93ccb3c6ada5cd1ee230912
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_amd64.deb
Size/MD5: 567404 8a8b1b7a23f63312034a040cb1aa7e63
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_i386.deb
Size/MD5: 213598 ab2e38a8d6530963231b39a9829fb2d2
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_i386.deb
Size/MD5: 1587104 90fbc2afe03c377aba029781ff5fe1df
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_i386.deb
Size/MD5: 5447882 24f1c24b149fb328ccdea99eca1acafa
http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_i386.deb
Size/MD5: 519328 4de797df556660bbe4c0f6f28e8e11bb
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_lpia.deb
Size/MD5: 212132 db58cde6f7138b158176b670bc74c119
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_lpia.deb
Size/MD5: 1646866 180f87c414b037c37b0dead0cc0bda72
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_lpia.deb
Size/MD5: 5594786 cd51cab94e155ee1174eee622d4691a3
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_lpia.deb
Size/MD5: 518520 ee049929d1b3a60629ae8a00b6e710f2
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_powerpc.deb
Size/MD5: 245176 613a00f19ae14501f10b350cdb795d12
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_powerpc.deb
Size/MD5: 1859288 69a9954613a68b7191c801a61930e4e8
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_powerpc.deb
Size/MD5: 5758266 a66bc8ac7ea4f8e8e1e1fb3367f5b25b
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_powerpc.deb
Size/MD5: 580976 3dd98008da3a34ab79726ee3efcb9d20
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_sparc.deb
Size/MD5: 214658 dddd0b9de17382e79c0bf6e497c78676
http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_sparc.deb
Size/MD5: 1673626 1f462818b9b194368d7451b70a148f07
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_sparc.deb
Size/MD5: 5291802 1b1510fb9035637aebb5bce856484c75
http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_sparc.deb
Size/MD5: 522160 af6ecc55c88eede805e1398e5204bdf3
Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists