[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NUVHg-0005Fh-Js@titan.mandriva.com>
Date: Tue, 12 Jan 2010 02:11:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:002 ] pidgin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:002
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pidgin
Date : January 11, 2010
Affected: 2010.0
_______________________________________________________________________
Problem Description:
A security vulnerability has been identified and fixed in pidgin:
Directory traversal vulnerability in slp.c in the MSN protocol
plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
remote attackers to read arbitrary files via a .. (dot dot) in an
application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
a related issue to CVE-2004-0122. NOTE: it could be argued that
this is resultant from a vulnerability in which an emoticon download
request is processed even without a preceding text/x-mms-emoticon
message that announced availability of the emoticon (CVE-2010-0013).
This update provides pidgin 2.6.5, which is not vulnerable to this
issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
http://pidgin.im/news/security/
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.0:
0b141dc591a1677affc824e714c0bfa5 2010.0/i586/finch-2.6.5-0.1mdv2010.0.i586.rpm
3d851548d89644efdfb701ba90c468da 2010.0/i586/libfinch0-2.6.5-0.1mdv2010.0.i586.rpm
91a4b9783856ae2565c2cd3a9b27ebb6 2010.0/i586/libpurple0-2.6.5-0.1mdv2010.0.i586.rpm
a0c9e1a42b96b117822968b581869513 2010.0/i586/libpurple-devel-2.6.5-0.1mdv2010.0.i586.rpm
ec2f185f4aaf4a83fdd95d1ee5023c4c 2010.0/i586/pidgin-2.6.5-0.1mdv2010.0.i586.rpm
aefdd5492a98e1823ba0c7286b3558b9 2010.0/i586/pidgin-bonjour-2.6.5-0.1mdv2010.0.i586.rpm
92599926774c68178a399e8e6b680029 2010.0/i586/pidgin-client-2.6.5-0.1mdv2010.0.i586.rpm
1d213714f4d9da85fd0bac7e793aa0d5 2010.0/i586/pidgin-gevolution-2.6.5-0.1mdv2010.0.i586.rpm
a1e458dcd2c10987934208d9a18cd2b5 2010.0/i586/pidgin-i18n-2.6.5-0.1mdv2010.0.i586.rpm
afc26ed9b344e3d4317fd7e32b88fa88 2010.0/i586/pidgin-meanwhile-2.6.5-0.1mdv2010.0.i586.rpm
3233cfec46020dbff5ef6f6fa4a4025e 2010.0/i586/pidgin-mono-2.6.5-0.1mdv2010.0.i586.rpm
48a5641b1104620aba0e2cbfa65a101f 2010.0/i586/pidgin-perl-2.6.5-0.1mdv2010.0.i586.rpm
44461abfbd8bc983a1e440a331ddc823 2010.0/i586/pidgin-plugins-2.6.5-0.1mdv2010.0.i586.rpm
80e0cedd0d60fe626dc5253db502e1bd 2010.0/i586/pidgin-silc-2.6.5-0.1mdv2010.0.i586.rpm
531a6537d9bf005ee54aece14aa48eb6 2010.0/i586/pidgin-tcl-2.6.5-0.1mdv2010.0.i586.rpm
83d0f2b5bb31e313c53c4d40ca8fe1da 2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
e27d2817c814cf90bad7e205081402a2 2010.0/x86_64/finch-2.6.5-0.1mdv2010.0.x86_64.rpm
611f230ca512ad0db64acc14ef06e148 2010.0/x86_64/lib64finch0-2.6.5-0.1mdv2010.0.x86_64.rpm
8ae845e339ca97ebdd7f302eac3e5899 2010.0/x86_64/lib64purple0-2.6.5-0.1mdv2010.0.x86_64.rpm
525a83c8cb39f1b8a5c54d1ee91d5e49 2010.0/x86_64/lib64purple-devel-2.6.5-0.1mdv2010.0.x86_64.rpm
2ef31af24eb8a4c2706e67f941ad9fa3 2010.0/x86_64/pidgin-2.6.5-0.1mdv2010.0.x86_64.rpm
f8d2d37e7e9f070ec94339c2a3b6b8f0 2010.0/x86_64/pidgin-bonjour-2.6.5-0.1mdv2010.0.x86_64.rpm
45038a16defd0813f381fea1b184697a 2010.0/x86_64/pidgin-client-2.6.5-0.1mdv2010.0.x86_64.rpm
9f48d1a4af0d24195610a0392f721acb 2010.0/x86_64/pidgin-gevolution-2.6.5-0.1mdv2010.0.x86_64.rpm
6c7d1fcb4f0ba1a1b32d04ecaf51ce59 2010.0/x86_64/pidgin-i18n-2.6.5-0.1mdv2010.0.x86_64.rpm
7efbc4ca6f8028476e6a842238d5e19c 2010.0/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2010.0.x86_64.rpm
58f135d340961f21b7b7a37931c7bf1d 2010.0/x86_64/pidgin-mono-2.6.5-0.1mdv2010.0.x86_64.rpm
798c84ae196fdedbeddb8d71374ce063 2010.0/x86_64/pidgin-perl-2.6.5-0.1mdv2010.0.x86_64.rpm
507b908bb81dc61cd633fccea1023314 2010.0/x86_64/pidgin-plugins-2.6.5-0.1mdv2010.0.x86_64.rpm
48518b319bc1c5a5a452be9ceb522763 2010.0/x86_64/pidgin-silc-2.6.5-0.1mdv2010.0.x86_64.rpm
b38b6ee90af7cee2298ba8f191b7fcc6 2010.0/x86_64/pidgin-tcl-2.6.5-0.1mdv2010.0.x86_64.rpm
83d0f2b5bb31e313c53c4d40ca8fe1da 2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLS6HImqjQ0CJFipgRAtFeAKDDgB5ajBW96Sv5YBFoCprgN7m57gCbBWjf
aW7W6V/HuduwIHmOC3pXQhA=
=uVD5
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists