lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1244038819.12402.1.camel@mdlinux.technorage.com>
Date: Wed, 03 Jun 2009 10:20:19 -0400
From: Marc Deslauriers <marc.deslauriers@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-781-1] Pidgin vulnerabilities

===========================================================
Ubuntu Security Notice USN-781-1              June 03, 2009
pidgin vulnerabilities
CVE-2009-1373, CVE-2009-1374, CVE-2009-1375, CVE-2009-1376
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  pidgin                          1:2.4.1-1ubuntu2.4

Ubuntu 8.10:
  pidgin                          1:2.5.2-0ubuntu1.2

Ubuntu 9.04:
  pidgin                          1:2.5.5-1ubuntu8.1

After a standard system upgrade you need to restart Pidgin to effect
the necessary changes.

Details follow:

It was discovered that Pidgin did not properly handle certain malformed
messages when sending a file using the XMPP protocol handler. If a user
were tricked into sending a file, a remote attacker could send a specially
crafted response and cause Pidgin to crash, or possibly execute arbitrary
code with user privileges. (CVE-2009-1373)

It was discovered that Pidgin did not properly handle certain malformed
messages in the QQ protocol handler. A remote attacker could send a
specially crafted message and cause Pidgin to crash. This issue only
affected Ubuntu 8.10 and 9.04. (CVE-2009-1374)

It was discovered that Pidgin did not properly handle certain malformed
messages in the XMPP and Sametime protocol handlers. A remote attacker
could send a specially crafted message and cause Pidgin to crash.
(CVE-2009-1375)

It was discovered that Pidgin did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a
specially crafted message and possibly execute arbitrary code with user
privileges. (CVE-2009-1376)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4.diff.gz
      Size/MD5:    68347 9be15621e9a9801a31b8ae6e4b82e0db
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4.dsc
      Size/MD5:     1539 7975b51e7a1d4c996282f51a584e0124
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1.orig.tar.gz
      Size/MD5: 13297380 25e3593d5e6bfc17911111475a057778

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.4.1-1ubuntu2.4_all.deb
      Size/MD5:    37846 9c9c3f7775b089058bf603e28bd89240
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.4.1-1ubuntu2.4_all.deb
      Size/MD5:    92352 ed5c3b2560b070733f7385d6a337f155
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.4.1-1ubuntu2.4_all.deb
      Size/MD5:   234514 e3dc4721dcf091410a41e3d9faf807a6
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.4.1-1ubuntu2.4_all.deb
      Size/MD5:  1328934 93a62c9f2fd928c3ff1fafca325f3b50
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.4.1-1ubuntu2.4_all.deb
      Size/MD5:    72638 8ad1fef0587ccbf626eb44587ba20e16
    http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.4.1-1ubuntu2.4_all.deb
      Size/MD5:    86574 82e3c5c4361510f90b6ae8ea1efd15f6

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_amd64.deb
      Size/MD5:   226874 aa753567d7edd194332eb2bfa8fd60ff
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_amd64.deb
      Size/MD5:  1604862 dbcc4128429686bfa835d563e6570e26
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_amd64.deb
      Size/MD5:  4432628 0b9baad686d3e5e1235c7996d104273a
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_amd64.deb
      Size/MD5:   572090 d0bad2b9275b71af32231f5248393d12

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_i386.deb
      Size/MD5:   200862 da71501bc4468b027e3d00dd03f607aa
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_i386.deb
      Size/MD5:  1365220 3853002c7d926ae93163c4bb1cead9b2
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_i386.deb
      Size/MD5:  4242680 17ba46fc81a67a4e8daa78a0e24881ca
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_i386.deb
      Size/MD5:   517126 a1728b5ffb4c858df3a3696880ac2866

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_lpia.deb
      Size/MD5:   197196 52fba9ae4400e779d792c3fac02afbc5
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_lpia.deb
      Size/MD5:  1415190 725ae9563bb29f71a33e21f51dbafe91
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_lpia.deb
      Size/MD5:  4372348 467c8f22104d8a7510f17720f92849c8
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_lpia.deb
      Size/MD5:   511654 bc9a49261f7fd4d42e7fcb15f9cf61d8

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_powerpc.deb
      Size/MD5:   237204 df93dfb31597cb65766e9def9514fbb5
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_powerpc.deb
      Size/MD5:  1633562 5923438d1915040c9550ce705aa24212
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_powerpc.deb
      Size/MD5:  4475570 d0a2ee70257e289b79529cfe87c375e0
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_powerpc.deb
      Size/MD5:   589648 9807242929f9afb819fc4fdd6285d811

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.4_sparc.deb
      Size/MD5:   212830 3176346be35b75d951a6960c1ac62333
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.4_sparc.deb
      Size/MD5:  1531840 06b53e84b93d41585eeb2f0ebe572bc7
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.4_sparc.deb
      Size/MD5:  4363738 0d1d086c4b15c87d0165bfb02ec80e29
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.4_sparc.deb
      Size/MD5:   545626 ae8b3edc96a5a578271671652b7f0afd

Updated packages for Ubuntu 8.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2.diff.gz
      Size/MD5:    60192 538fa71576474dc52288fcbb6b40581a
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2.dsc
      Size/MD5:     1995 554c6183486df7af4c9d3929e5f54263
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2.orig.tar.gz
      Size/MD5: 11642659 3ad83133a2381087cbdddf42ba5d6ecf

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.5.2-0ubuntu1.2_all.deb
      Size/MD5:    38224 65b54c109e1d8ae04104da36e5806c18
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.5.2-0ubuntu1.2_all.deb
      Size/MD5:    94868 f2f3cc3410268e74487fa16fb3d410ed
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.5.2-0ubuntu1.2_all.deb
      Size/MD5:   242302 4ef3557231e12e7cf34bcb249109034f
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.5.2-0ubuntu1.2_all.deb
      Size/MD5:  1106854 5c9bc67c07da0c8e633970d1e9db3f48
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.5.2-0ubuntu1.2_all.deb
      Size/MD5:  1357176 ed07a18f8bdc63fa953c74b0c175e50f

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_amd64.deb
      Size/MD5:   230066 d4c2dc45b4a32f8f8d6da9f6086af24e
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_amd64.deb
      Size/MD5:  1754456 fe7611e988e8d22a65abbe1301d2965b
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_amd64.deb
      Size/MD5:  4660352 66cca2215df947143266932d10af883f
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_amd64.deb
      Size/MD5:   613956 adfbc24ab8c5eb3b21bb7f628c61bdce

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_i386.deb
      Size/MD5:   204004 0e0d344adeda941342d8fb7867668dbf
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_i386.deb
      Size/MD5:  1503322 8f66c12c95d7c552309ae57dd043a29a
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_i386.deb
      Size/MD5:  4464482 1e3f00d26b6e416bd75bf695ce1e09c0
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_i386.deb
      Size/MD5:   559582 0fb6713e8965f9b9eca4d74eaf7ae7a9

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_lpia.deb
      Size/MD5:   200664 2d974ab524d81fc118471ae19e1c8937
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_lpia.deb
      Size/MD5:  1552110 c4f9431b8bdadbec7fb5e408fcd1acfc
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_lpia.deb
      Size/MD5:  4599180 d9064f44228e108cb661bd7906ab7386
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_lpia.deb
      Size/MD5:   553788 c9f8e5422da2e8e6576f39db4cd2085d

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_powerpc.deb
      Size/MD5:   235480 d9ee88f9545b7b58db2cd68fe6a8066b
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_powerpc.deb
      Size/MD5:  1790404 c1b95833f5bb7324267dd5155d950441
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_powerpc.deb
      Size/MD5:  4684942 acb33467a37ed8f102ebde7054c946d6
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_powerpc.deb
      Size/MD5:   619564 4bfd7a4e496b8647071846ad0616657a

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.2-0ubuntu1.2_sparc.deb
      Size/MD5:   217318 cdbd481faa314f8ba35f35a475a42795
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.2-0ubuntu1.2_sparc.deb
      Size/MD5:  1682664 fab2a1a49a81a68ae6a93616bd570555
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.2-0ubuntu1.2_sparc.deb
      Size/MD5:  4586562 d459d38877c2249fc561b77732f9b79e
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.2-0ubuntu1.2_sparc.deb
      Size/MD5:   590732 a0fc31cd9e06ba80c350e0a9b7f80c03

Updated packages for Ubuntu 9.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1.diff.gz
      Size/MD5:    64524 fee7dadd7a38c04558ab4c09d5f42aa1
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1.dsc
      Size/MD5:     1932 0fb4cdde59be102a856ab10e00b8e043
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5.orig.tar.gz
      Size/MD5: 11989031 08d9c0c8dd43dbcec6f67d8ba596029f

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.5.5-1ubuntu8.1_all.deb
      Size/MD5:    38446 aef71d1ba6b6c7e8049e89ccc1bd88bb
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.5.5-1ubuntu8.1_all.deb
      Size/MD5:    97200 049318fbf3c736bf1832dbfd6dedde2c
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.5.5-1ubuntu8.1_all.deb
      Size/MD5:   245162 1726a391577683475060704eb55bdf9a
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.5.5-1ubuntu8.1_all.deb
      Size/MD5:  1150574 431c7d4325133491b6e1fa688c4a9242
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.5.5-1ubuntu8.1_all.deb
      Size/MD5:  1371370 5e90e70e80ed5e0b7f36695464c5f72a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_amd64.deb
      Size/MD5:   235086 6d2fce235edeb7a32a7a86c57a71b2ed
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_amd64.deb
      Size/MD5:  1803258 2304c36adbcfc8349a4a3952808a2bb8
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_amd64.deb
      Size/MD5:  5845696 c8594eceb93ccb3c6ada5cd1ee230912
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_amd64.deb
      Size/MD5:   567404 8a8b1b7a23f63312034a040cb1aa7e63

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_i386.deb
      Size/MD5:   213598 ab2e38a8d6530963231b39a9829fb2d2
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_i386.deb
      Size/MD5:  1587104 90fbc2afe03c377aba029781ff5fe1df
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_i386.deb
      Size/MD5:  5447882 24f1c24b149fb328ccdea99eca1acafa
    http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_i386.deb
      Size/MD5:   519328 4de797df556660bbe4c0f6f28e8e11bb

  lpia architecture (Low Power Intel Architecture):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_lpia.deb
      Size/MD5:   212132 db58cde6f7138b158176b670bc74c119
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_lpia.deb
      Size/MD5:  1646866 180f87c414b037c37b0dead0cc0bda72
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_lpia.deb
      Size/MD5:  5594786 cd51cab94e155ee1174eee622d4691a3
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_lpia.deb
      Size/MD5:   518520 ee049929d1b3a60629ae8a00b6e710f2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_powerpc.deb
      Size/MD5:   245176 613a00f19ae14501f10b350cdb795d12
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_powerpc.deb
      Size/MD5:  1859288 69a9954613a68b7191c801a61930e4e8
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_powerpc.deb
      Size/MD5:  5758266 a66bc8ac7ea4f8e8e1e1fb3367f5b25b
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_powerpc.deb
      Size/MD5:   580976 3dd98008da3a34ab79726ee3efcb9d20

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.5.5-1ubuntu8.1_sparc.deb
      Size/MD5:   214658 dddd0b9de17382e79c0bf6e497c78676
    http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.5.5-1ubuntu8.1_sparc.deb
      Size/MD5:  1673626 1f462818b9b194368d7451b70a148f07
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.5.5-1ubuntu8.1_sparc.deb
      Size/MD5:  5291802 1b1510fb9035637aebb5bce856484c75
    http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.5.5-1ubuntu8.1_sparc.deb
      Size/MD5:   522160 af6ecc55c88eede805e1398e5204bdf3



Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ