[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Mm8Th-0000J5-BC@titan.mandriva.com>
Date: Fri, 11 Sep 2009 17:56:01 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:230 ] pidgin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:230
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pidgin
Date : September 11, 2009
Affected: 2009.0, 2009.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Security vulnerabilities has been identified and fixed in pidgin:
The msn_slplink_process_msg function in
libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin
(formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows
remote attackers to execute arbitrary code or cause a denial of service
(memory corruption and application crash) by sending multiple crafted
SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary
memory location. NOTE: this issue reportedly exists because of an
incomplete fix for CVE-2009-1376 (CVE-2009-2694).
Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers
to cause a denial of service (crash) via a link in a Yahoo IM
(CVE-2009-3025)
protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly
other versions, does not follow the require TLS/SSL preference
when connecting to older Jabber servers that do not follow the XMPP
specification, which causes libpurple to connect to the server without
the expected encryption and allows remote attackers to sniff sessions
(CVE-2009-3026).
libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple
in Pidgin before 2.6.2 allows remote IRC servers to cause a denial
of service (NULL pointer dereference and application crash) via a
TOPIC message that lacks a topic string (CVE-2009-2703).
The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the
MSN protocol plugin in libpurple in Pidgin before 2.6.2 allows remote
attackers to cause a denial of service (NULL pointer dereference
and application crash) via an SLP invite message that lacks certain
required fields, as demonstrated by a malformed message from a KMess
client (CVE-2009-3083).
The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c
in the MSN protocol plugin in libpurple 2.6.0 and 2.6.1, as used in
Pidgin before 2.6.2, allows remote attackers to cause a denial of
service (application crash) via a handwritten (aka Ink) message,
related to an uninitialized variable and the incorrect UTF16-LE
charset name (CVE-2009-3084).
The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does
not properly handle an error IQ stanza during an attempted fetch of
a custom smiley, which allows remote attackers to cause a denial of
service (application crash) via XHTML-IM content with cid: images
(CVE-2009-3085).
This update provides pidgin 2.6.2, which is not vulnerable to these
issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3026
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2703
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3085
http://pidgin.im/news/security/
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
dd2135de88f01028217b4146dbfdabc0 2009.0/i586/finch-2.6.2-1.1mdv2009.0.i586.rpm
0a62ef0d115db1d059ba8683d8b78543 2009.0/i586/libfinch0-2.6.2-1.1mdv2009.0.i586.rpm
d9138da684311ab0e77748b5d9251324 2009.0/i586/libpurple0-2.6.2-1.1mdv2009.0.i586.rpm
a795ae8b0a6d37dae3cdd5d626a1054b 2009.0/i586/libpurple-devel-2.6.2-1.1mdv2009.0.i586.rpm
e02ee9ac19b50b6313ab7e95955fc7dd 2009.0/i586/pidgin-2.6.2-1.1mdv2009.0.i586.rpm
d9da1b8df1a61a3c6a61fb661d0af935 2009.0/i586/pidgin-bonjour-2.6.2-1.1mdv2009.0.i586.rpm
fa74aa490a4a78a443f78273bd80c129 2009.0/i586/pidgin-client-2.6.2-1.1mdv2009.0.i586.rpm
fba34f0c6056aaeda170fb38bafc50f8 2009.0/i586/pidgin-gevolution-2.6.2-1.1mdv2009.0.i586.rpm
aa062eba94ee8a8857241879f83bb680 2009.0/i586/pidgin-i18n-2.6.2-1.1mdv2009.0.i586.rpm
3583204db49425789559de87f9c20e84 2009.0/i586/pidgin-meanwhile-2.6.2-1.1mdv2009.0.i586.rpm
83e2b09d13dc5880ce3779a659fa6edd 2009.0/i586/pidgin-mono-2.6.2-1.1mdv2009.0.i586.rpm
13115c52a371163466c9f8fb02c3b3f1 2009.0/i586/pidgin-perl-2.6.2-1.1mdv2009.0.i586.rpm
57c8369439d8ac73444f881e47bc7c7b 2009.0/i586/pidgin-plugins-2.6.2-1.1mdv2009.0.i586.rpm
1fe519efa96037e5b95360e6967fa872 2009.0/i586/pidgin-silc-2.6.2-1.1mdv2009.0.i586.rpm
ab47db7786ec117a66317dc91328117c 2009.0/i586/pidgin-tcl-2.6.2-1.1mdv2009.0.i586.rpm
3c72a8f93d85a71a5ec62065c71ac866 2009.0/SRPMS/pidgin-2.6.2-1.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
abe40e3b46e70d0f74c5b4195d4a7573 2009.0/x86_64/finch-2.6.2-1.1mdv2009.0.x86_64.rpm
1895ed3c44f5eb3bf08bba3d0d44329a 2009.0/x86_64/lib64finch0-2.6.2-1.1mdv2009.0.x86_64.rpm
16bcdf679539693dea8d115d6f4f57fa 2009.0/x86_64/lib64purple0-2.6.2-1.1mdv2009.0.x86_64.rpm
5359a59e9ddd524f3fe2e61374391e6c 2009.0/x86_64/lib64purple-devel-2.6.2-1.1mdv2009.0.x86_64.rpm
c59fedcacf46d230776c1fa588d2370d 2009.0/x86_64/pidgin-2.6.2-1.1mdv2009.0.x86_64.rpm
e4f7f1dded3d1de9ba3a7cb3251382ab 2009.0/x86_64/pidgin-bonjour-2.6.2-1.1mdv2009.0.x86_64.rpm
9c8326b381dc152f4121ab43104fca70 2009.0/x86_64/pidgin-client-2.6.2-1.1mdv2009.0.x86_64.rpm
c7f718a011414a1c2a30dc3c765fa57f 2009.0/x86_64/pidgin-gevolution-2.6.2-1.1mdv2009.0.x86_64.rpm
5a272130a6b76313263567fa4e4eb405 2009.0/x86_64/pidgin-i18n-2.6.2-1.1mdv2009.0.x86_64.rpm
c7ca5393d5b3c26c7969e1935f0f081f 2009.0/x86_64/pidgin-meanwhile-2.6.2-1.1mdv2009.0.x86_64.rpm
a352742a2c74ab2dee0fe923d8088b09 2009.0/x86_64/pidgin-mono-2.6.2-1.1mdv2009.0.x86_64.rpm
3a7ea7015ba7e4631629a6561969c5f1 2009.0/x86_64/pidgin-perl-2.6.2-1.1mdv2009.0.x86_64.rpm
673250d99488d52ac182234a977270c5 2009.0/x86_64/pidgin-plugins-2.6.2-1.1mdv2009.0.x86_64.rpm
b0b24b820b40b8ae0ea50b861cb24816 2009.0/x86_64/pidgin-silc-2.6.2-1.1mdv2009.0.x86_64.rpm
cde1df5b06fdd9a7f3abdacd519a4ded 2009.0/x86_64/pidgin-tcl-2.6.2-1.1mdv2009.0.x86_64.rpm
3c72a8f93d85a71a5ec62065c71ac866 2009.0/SRPMS/pidgin-2.6.2-1.1mdv2009.0.src.rpm
Mandriva Linux 2009.1:
a0dae5ebcc277d8a42dfbbbc273e2e7c 2009.1/i586/finch-2.6.2-1.1mdv2009.1.i586.rpm
3e31c84ecf92b24da7e63fda3e6bc57e 2009.1/i586/libfinch0-2.6.2-1.1mdv2009.1.i586.rpm
6c2e1b9d19fc77f438517512666d8015 2009.1/i586/libpurple0-2.6.2-1.1mdv2009.1.i586.rpm
924014945b93ced26931d96e7872b2ae 2009.1/i586/libpurple-devel-2.6.2-1.1mdv2009.1.i586.rpm
0c78dd3ef63b1e14bc1f881a8c15fecb 2009.1/i586/pidgin-2.6.2-1.1mdv2009.1.i586.rpm
3038bfbd661e5d467dec2c2ac9550b16 2009.1/i586/pidgin-bonjour-2.6.2-1.1mdv2009.1.i586.rpm
ea7a7a8d951f6deb0d68cfc162868a6a 2009.1/i586/pidgin-client-2.6.2-1.1mdv2009.1.i586.rpm
cb312d06aa0365d38e393c7625171e62 2009.1/i586/pidgin-gevolution-2.6.2-1.1mdv2009.1.i586.rpm
c8bfc1d06999ea0db358cbb008e51094 2009.1/i586/pidgin-i18n-2.6.2-1.1mdv2009.1.i586.rpm
b46996777660d0818dc1c3987ab698dc 2009.1/i586/pidgin-meanwhile-2.6.2-1.1mdv2009.1.i586.rpm
c761eb32c26ffd738b2ad3b61f78c011 2009.1/i586/pidgin-mono-2.6.2-1.1mdv2009.1.i586.rpm
aaba734ce1fd0425395132ce28e76c6b 2009.1/i586/pidgin-perl-2.6.2-1.1mdv2009.1.i586.rpm
4b7f6d886dda8a7e89a56e6cd459b888 2009.1/i586/pidgin-plugins-2.6.2-1.1mdv2009.1.i586.rpm
28c71dbe522e6c2315c0092b5c68f6a6 2009.1/i586/pidgin-silc-2.6.2-1.1mdv2009.1.i586.rpm
0aaa2db43643a3f2a471b5d29b89e794 2009.1/i586/pidgin-tcl-2.6.2-1.1mdv2009.1.i586.rpm
3607769d564d6cead9e66ddc97e90c26 2009.1/SRPMS/pidgin-2.6.2-1.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
5996a662fd63ef72540432b9e723e376 2009.1/x86_64/finch-2.6.2-1.1mdv2009.1.x86_64.rpm
5daefd3daff1323ae6befca7ffeccf6d 2009.1/x86_64/lib64finch0-2.6.2-1.1mdv2009.1.x86_64.rpm
29c6cff6af5047f1c1e8c0e9cab1b343 2009.1/x86_64/lib64purple0-2.6.2-1.1mdv2009.1.x86_64.rpm
129363e98df30501bb591131f3b71974 2009.1/x86_64/lib64purple-devel-2.6.2-1.1mdv2009.1.x86_64.rpm
1dca4950a84ee467a1db32e33c272493 2009.1/x86_64/pidgin-2.6.2-1.1mdv2009.1.x86_64.rpm
efc25c6b71ae970de073641feed3d222 2009.1/x86_64/pidgin-bonjour-2.6.2-1.1mdv2009.1.x86_64.rpm
f57802d311e6676c359db58ce4f6c898 2009.1/x86_64/pidgin-client-2.6.2-1.1mdv2009.1.x86_64.rpm
3673312d1746554834679c0dd66f900a 2009.1/x86_64/pidgin-gevolution-2.6.2-1.1mdv2009.1.x86_64.rpm
6b4edbc3cbd95c4b73f199ec3dd07544 2009.1/x86_64/pidgin-i18n-2.6.2-1.1mdv2009.1.x86_64.rpm
07ddc3ebd9baa319fa42327ace7a51c1 2009.1/x86_64/pidgin-meanwhile-2.6.2-1.1mdv2009.1.x86_64.rpm
d3c41c1ef9cd7baa9febd7d073ef09a4 2009.1/x86_64/pidgin-mono-2.6.2-1.1mdv2009.1.x86_64.rpm
6ce2b600ff76999460c7e8ed7ef81904 2009.1/x86_64/pidgin-perl-2.6.2-1.1mdv2009.1.x86_64.rpm
d8be6a2e6bbba229edd7d7abcbf2ef76 2009.1/x86_64/pidgin-plugins-2.6.2-1.1mdv2009.1.x86_64.rpm
7ae3fdc1561a478052e2a3fe65488966 2009.1/x86_64/pidgin-silc-2.6.2-1.1mdv2009.1.x86_64.rpm
308d2a35011d9093973b393199de7393 2009.1/x86_64/pidgin-tcl-2.6.2-1.1mdv2009.1.x86_64.rpm
3607769d564d6cead9e66ddc97e90c26 2009.1/SRPMS/pidgin-2.6.2-1.1mdv2009.1.src.rpm
Mandriva Enterprise Server 5:
6a1a28fb7bb3037ae1528e792417300b mes5/i586/finch-2.6.2-1.1mdvmes5.i586.rpm
7f56781f36c71c0839741b728586ef85 mes5/i586/libfinch0-2.6.2-1.1mdvmes5.i586.rpm
f45ee50ed79e8101375a9236f937d658 mes5/i586/libpurple0-2.6.2-1.1mdvmes5.i586.rpm
b0455640d7149d9ad025ae42fce61b72 mes5/i586/libpurple-devel-2.6.2-1.1mdvmes5.i586.rpm
487fa34cda5ebd172673c4232a3009d3 mes5/i586/pidgin-2.6.2-1.1mdvmes5.i586.rpm
38220a322dc8b3fc2a264fb2bae2e54f mes5/i586/pidgin-bonjour-2.6.2-1.1mdvmes5.i586.rpm
9a6d4add9297029d774a3f4483be769f mes5/i586/pidgin-client-2.6.2-1.1mdvmes5.i586.rpm
5b4b62dd8555dc4b43d475c5dc04ff37 mes5/i586/pidgin-gevolution-2.6.2-1.1mdvmes5.i586.rpm
adb1072ce88c0a95afb2a41b07471f69 mes5/i586/pidgin-i18n-2.6.2-1.1mdvmes5.i586.rpm
3f2d24e39f650e1ce198b3555881d52f mes5/i586/pidgin-meanwhile-2.6.2-1.1mdvmes5.i586.rpm
70cc2085acb78b0a75df07c8d44122a6 mes5/i586/pidgin-mono-2.6.2-1.1mdvmes5.i586.rpm
2fc80c8e5d350ea77dbaf3bf53e738c9 mes5/i586/pidgin-perl-2.6.2-1.1mdvmes5.i586.rpm
9bb6bb95f035abec1d8db99fb7a95a94 mes5/i586/pidgin-plugins-2.6.2-1.1mdvmes5.i586.rpm
0e8e10245b3b2b2793e9830ebad65c9f mes5/i586/pidgin-silc-2.6.2-1.1mdvmes5.i586.rpm
87005bd59df0e60db09773f5ad51c65c mes5/i586/pidgin-tcl-2.6.2-1.1mdvmes5.i586.rpm
c5ba16d383624512a2accea0e49127e1 mes5/SRPMS/pidgin-2.6.2-1.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
48559a9fbd602829a9018da470c737b7 mes5/x86_64/finch-2.6.2-1.1mdvmes5.x86_64.rpm
efc52b721d74bd54957d8381160930ae mes5/x86_64/lib64finch0-2.6.2-1.1mdvmes5.x86_64.rpm
cfa40992e6268de48742d863937a3ce5 mes5/x86_64/lib64purple0-2.6.2-1.1mdvmes5.x86_64.rpm
551c32363db750e426e3ba6aa482aa1b mes5/x86_64/lib64purple-devel-2.6.2-1.1mdvmes5.x86_64.rpm
f772d231fa7f5bfa83d7448b977ac9e4 mes5/x86_64/pidgin-2.6.2-1.1mdvmes5.x86_64.rpm
5e36d866ed4aead171f62b0ff52f86de mes5/x86_64/pidgin-bonjour-2.6.2-1.1mdvmes5.x86_64.rpm
8e93da5c587e1fc463c23a1e202c506f mes5/x86_64/pidgin-client-2.6.2-1.1mdvmes5.x86_64.rpm
35a37384b53cb597b796ce269b947c0c mes5/x86_64/pidgin-gevolution-2.6.2-1.1mdvmes5.x86_64.rpm
6d8a79d2da3c94034e9db65464304cba mes5/x86_64/pidgin-i18n-2.6.2-1.1mdvmes5.x86_64.rpm
be05186873330aca1a05143c7380b5e1 mes5/x86_64/pidgin-meanwhile-2.6.2-1.1mdvmes5.x86_64.rpm
669c51511f0c04f40779dd73e0c9f50d mes5/x86_64/pidgin-mono-2.6.2-1.1mdvmes5.x86_64.rpm
79bd83d747fa3e48d2ce18e8e5abb588 mes5/x86_64/pidgin-perl-2.6.2-1.1mdvmes5.x86_64.rpm
48eb4e61676abc78e769a0f660148814 mes5/x86_64/pidgin-plugins-2.6.2-1.1mdvmes5.x86_64.rpm
6c37ac6cbf4e83b8a4e09bfc62776d73 mes5/x86_64/pidgin-silc-2.6.2-1.1mdvmes5.x86_64.rpm
47262f2e661db28512c40710d9a59113 mes5/x86_64/pidgin-tcl-2.6.2-1.1mdvmes5.x86_64.rpm
c5ba16d383624512a2accea0e49127e1 mes5/SRPMS/pidgin-2.6.2-1.1mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKqkbImqjQ0CJFipgRAmItAKDwmkCL6bbeJfrQn7f0X8X1kUsE/gCeJQLu
eZC/xky0aMktS6+I56SNZh0=
=rl3L
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists