lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MLjo8-0004p5-MH@titan.mandriva.com>
Date: Tue, 30 Jun 2009 22:20:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:147 ] pidgin


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:147
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : June 30, 2009
 Affected: 2009.0, 2009.1
 _______________________________________________________________________

 Problem Description:

 Security vulnerabilities has been identified and fixed in pidgin:
 
 Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin
 (formerly Gaim) before 2.5.6 allows remote authenticated users to
 execute arbitrary code via vectors involving an outbound XMPP file
 transfer. NOTE: some of these details are obtained from third party
 information (CVE-2009-1373).
 
 Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim)
 before 2.5.6 allows remote attackers to cause a denial of service
 (application crash) via a QQ packet (CVE-2009-1374).
 
 The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before
 2.5.6 does not properly maintain a certain buffer, which allows
 remote attackers to cause a denial of service (memory corruption
 and application crash) via vectors involving the (1) XMPP or (2)
 Sametime protocol (CVE-2009-1375).
 
 Multiple integer overflows in the msn_slplink_process_msg functions in
 the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and
 (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim)
 before 2.5.6 on 32-bit platforms allow remote attackers to execute
 arbitrary code via a malformed SLP message with a crafted offset
 value, leading to buffer overflows. NOTE: this issue exists because
 of an incomplete fix for CVE-2008-2927 (CVE-2009-1376).
 
 This update provides pidgin 2.5.8, which is not vulnerable to these
 issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376
 http://pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 0b9c5812047b6913b62d962d6b2e23ce  2009.0/i586/finch-2.5.8-0.2mdv2009.0.i586.rpm
 2e163af32cb31fcbadb823def93ed7f8  2009.0/i586/libfinch0-2.5.8-0.2mdv2009.0.i586.rpm
 8ac2c52ffdab796e3dad1d38733064ff  2009.0/i586/libpurple0-2.5.8-0.2mdv2009.0.i586.rpm
 f0db58c858207f9560548d949b48d261  2009.0/i586/libpurple-devel-2.5.8-0.2mdv2009.0.i586.rpm
 5169c7ebe58ae7180849d7ed517121c8  2009.0/i586/pidgin-2.5.8-0.2mdv2009.0.i586.rpm
 4d13d3689764970fa898c1fad1cc5764  2009.0/i586/pidgin-bonjour-2.5.8-0.2mdv2009.0.i586.rpm
 a1830c84222ffc88855d8eb92c859641  2009.0/i586/pidgin-client-2.5.8-0.2mdv2009.0.i586.rpm
 bf2b1e97c096cc0448d808a4a88b3f3e  2009.0/i586/pidgin-gevolution-2.5.8-0.2mdv2009.0.i586.rpm
 f7fc2376cacab7d26ae56ee6b64349a0  2009.0/i586/pidgin-i18n-2.5.8-0.2mdv2009.0.i586.rpm
 edaa8098fc045f2d62eb34520a15dc3f  2009.0/i586/pidgin-meanwhile-2.5.8-0.2mdv2009.0.i586.rpm
 11ffe25c191b1e3e9960ed082390f7c4  2009.0/i586/pidgin-mono-2.5.8-0.2mdv2009.0.i586.rpm
 7c52bfd76a126296d01db5f91070697e  2009.0/i586/pidgin-perl-2.5.8-0.2mdv2009.0.i586.rpm
 f1a0e77257376b4ae76d3860798a1f48  2009.0/i586/pidgin-plugins-2.5.8-0.2mdv2009.0.i586.rpm
 d9d098ba185b307bd6a1841e34b6f34f  2009.0/i586/pidgin-silc-2.5.8-0.2mdv2009.0.i586.rpm
 85e866aa7309873647ee6dbd8e25f19b  2009.0/i586/pidgin-tcl-2.5.8-0.2mdv2009.0.i586.rpm 
 f58c790083e6cbe2e18ca162368b8222  2009.0/SRPMS/pidgin-2.5.8-0.2mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 1261bbf57c000e72386cc2527b5dc36f  2009.0/x86_64/finch-2.5.8-0.2mdv2009.0.x86_64.rpm
 a8e36217c7bb9382fec36b3678d7f22a  2009.0/x86_64/lib64finch0-2.5.8-0.2mdv2009.0.x86_64.rpm
 cc68a1500a192bcd1e1e74b01bfa88f6  2009.0/x86_64/lib64purple0-2.5.8-0.2mdv2009.0.x86_64.rpm
 b023996495bfccbcc42546ee50d86cb8  2009.0/x86_64/lib64purple-devel-2.5.8-0.2mdv2009.0.x86_64.rpm
 483d34d8c6dbd627c8f42ca7026c4891  2009.0/x86_64/pidgin-2.5.8-0.2mdv2009.0.x86_64.rpm
 dd297e049a355c5a577fd6ff05fa8e1a  2009.0/x86_64/pidgin-bonjour-2.5.8-0.2mdv2009.0.x86_64.rpm
 99552bd5cdc82dbcc654fce15f61d092  2009.0/x86_64/pidgin-client-2.5.8-0.2mdv2009.0.x86_64.rpm
 b18bb378d4113d39cfd7f688b1d7d0e4  2009.0/x86_64/pidgin-gevolution-2.5.8-0.2mdv2009.0.x86_64.rpm
 ddffc838f823bd823da1f9590ec70b92  2009.0/x86_64/pidgin-i18n-2.5.8-0.2mdv2009.0.x86_64.rpm
 a5144eb447ec121820eae2d95429634a  2009.0/x86_64/pidgin-meanwhile-2.5.8-0.2mdv2009.0.x86_64.rpm
 864a95349dc2f85f41d337f35f7e22d0  2009.0/x86_64/pidgin-mono-2.5.8-0.2mdv2009.0.x86_64.rpm
 40117254cd1226cd29e233c48de1b6e2  2009.0/x86_64/pidgin-perl-2.5.8-0.2mdv2009.0.x86_64.rpm
 45e24144e272a726ece9206bf2d7ca37  2009.0/x86_64/pidgin-plugins-2.5.8-0.2mdv2009.0.x86_64.rpm
 7966dacf3a120cb25d463ae6cc96da66  2009.0/x86_64/pidgin-silc-2.5.8-0.2mdv2009.0.x86_64.rpm
 c2f86df2348c18f6f88f0f044fc0858c  2009.0/x86_64/pidgin-tcl-2.5.8-0.2mdv2009.0.x86_64.rpm 
 f58c790083e6cbe2e18ca162368b8222  2009.0/SRPMS/pidgin-2.5.8-0.2mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 f67e4c3f8d66c7f41d138a0786bf002b  2009.1/i586/finch-2.5.8-0.2mdv2009.1.i586.rpm
 a1458b3a10086562af8588b14a6e7648  2009.1/i586/libfinch0-2.5.8-0.2mdv2009.1.i586.rpm
 9369bcf4e812f4085f0db10301f052ad  2009.1/i586/libpurple0-2.5.8-0.2mdv2009.1.i586.rpm
 92f4b3e3fc1380dccbbc5b1d34cc3893  2009.1/i586/libpurple-devel-2.5.8-0.2mdv2009.1.i586.rpm
 2146bd6f5200d0f92678481f4a570f14  2009.1/i586/pidgin-2.5.8-0.2mdv2009.1.i586.rpm
 cfcd5d1fa2d5526c28fc63ac458ef0ef  2009.1/i586/pidgin-bonjour-2.5.8-0.2mdv2009.1.i586.rpm
 6e3afaf1f4838268abef2ce4d285ff9f  2009.1/i586/pidgin-client-2.5.8-0.2mdv2009.1.i586.rpm
 de326d636c98402ffdc1ee1e2e0daa4b  2009.1/i586/pidgin-gevolution-2.5.8-0.2mdv2009.1.i586.rpm
 e7b3ff08b89ae7d3bd3ac06edbda2e34  2009.1/i586/pidgin-i18n-2.5.8-0.2mdv2009.1.i586.rpm
 18991a44ed768591999de24430f0243b  2009.1/i586/pidgin-meanwhile-2.5.8-0.2mdv2009.1.i586.rpm
 1cdd6f5ef69508e38354e24dea17e1a9  2009.1/i586/pidgin-mono-2.5.8-0.2mdv2009.1.i586.rpm
 35188862c9641d841e85f5b22dad7449  2009.1/i586/pidgin-perl-2.5.8-0.2mdv2009.1.i586.rpm
 7d4e325b6008d26458291e7b7951eaec  2009.1/i586/pidgin-plugins-2.5.8-0.2mdv2009.1.i586.rpm
 e6c6d611f2f3085920a2715b6f1d01d8  2009.1/i586/pidgin-silc-2.5.8-0.2mdv2009.1.i586.rpm
 0cadc9118ed484b073560423be0feaf4  2009.1/i586/pidgin-tcl-2.5.8-0.2mdv2009.1.i586.rpm 
 ebb50e4b0a97cc460e2d8486f3c01eed  2009.1/SRPMS/pidgin-2.5.8-0.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 d1b2d58b4e4c931e45c331b888ef1084  2009.1/x86_64/finch-2.5.8-0.2mdv2009.1.x86_64.rpm
 57cc9ff2f0f54697c2490fbd8726b181  2009.1/x86_64/lib64finch0-2.5.8-0.2mdv2009.1.x86_64.rpm
 7606985a068954fca5d16d7333ff2222  2009.1/x86_64/lib64purple0-2.5.8-0.2mdv2009.1.x86_64.rpm
 6114731e237d3e5c066edc6a5a40290e  2009.1/x86_64/lib64purple-devel-2.5.8-0.2mdv2009.1.x86_64.rpm
 66c33bfa51bdc6a125c776f76486f29e  2009.1/x86_64/pidgin-2.5.8-0.2mdv2009.1.x86_64.rpm
 fc0d59febb37fd8422a57dd759130bb8  2009.1/x86_64/pidgin-bonjour-2.5.8-0.2mdv2009.1.x86_64.rpm
 d781057e99674e435243a6fc1ccd9c50  2009.1/x86_64/pidgin-client-2.5.8-0.2mdv2009.1.x86_64.rpm
 0ce092cc85f8024e33361f488ff5f617  2009.1/x86_64/pidgin-gevolution-2.5.8-0.2mdv2009.1.x86_64.rpm
 0db0e946667615e20c3ce2aae0c8c840  2009.1/x86_64/pidgin-i18n-2.5.8-0.2mdv2009.1.x86_64.rpm
 8ac630cc5228aabd7c64ebad0708dfbc  2009.1/x86_64/pidgin-meanwhile-2.5.8-0.2mdv2009.1.x86_64.rpm
 71843c7958e5e037137ac62f52ec59a8  2009.1/x86_64/pidgin-mono-2.5.8-0.2mdv2009.1.x86_64.rpm
 2b3a2fccde7218a226f07497ab18acda  2009.1/x86_64/pidgin-perl-2.5.8-0.2mdv2009.1.x86_64.rpm
 6c13aed8b7090e0ce146b64fe479e822  2009.1/x86_64/pidgin-plugins-2.5.8-0.2mdv2009.1.x86_64.rpm
 81ffeb84eea5f93f0e94e7035c858107  2009.1/x86_64/pidgin-silc-2.5.8-0.2mdv2009.1.x86_64.rpm
 93ef210add576d311aa2a033cef3c77c  2009.1/x86_64/pidgin-tcl-2.5.8-0.2mdv2009.1.x86_64.rpm 
 ebb50e4b0a97cc460e2d8486f3c01eed  2009.1/SRPMS/pidgin-2.5.8-0.2mdv2009.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKSkfAmqjQ0CJFipgRAjXiAJ0e+atKRUTzOr6SQ+DgOHwOvk02qgCeMPFg
+H4DlSU9YzPLzeKFhKFdE94=
=uRxq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ