[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Ni7ci-0006Wa-HP@titan.mandriva.com>
Date: Thu, 18 Feb 2010 15:45:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:041 ] pidgin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:041
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pidgin
Date : February 18, 2010
Affected: 2008.0, 2009.1, 2010.0, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple security vulnerabilities has been identified and fixed
in pidgin:
Certain malformed SLP messages can trigger a crash because the MSN
protocol plugin fails to check that all pieces of the message are
set correctly (CVE-2010-0277).
In a user in a multi-user chat room has a nickname containing '<br>'
then libpurple ends up having two users with username ' ' in the room,
and Finch crashes in this situation. We do not believe there is a
possibility of remote code execution (CVE-2010-0420).
oCERT notified us about a problem in Pidgin, where a large amount of
processing time will be used when inserting many smileys into an IM
or chat window. This should not cause a crash, but Pidgin can become
unusable slow (CVE-2010-0423).
Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.
This update provides pidgin 2.6.6, which is not vulnerable to these
issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423
http://pidgin.im/news/security/
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
7b6b149b6d3b66ac216ffdb39366d122 2008.0/i586/finch-2.6.6-0.1mdv2008.0.i586.rpm
f8ef6b0bfb06eb0617fe0056b61838fc 2008.0/i586/libfinch0-2.6.6-0.1mdv2008.0.i586.rpm
c9f08705a68c551450888cbd383f8e56 2008.0/i586/libpurple0-2.6.6-0.1mdv2008.0.i586.rpm
fbfd67f6c3e9f70d3f6f67bbec3bb4aa 2008.0/i586/libpurple-devel-2.6.6-0.1mdv2008.0.i586.rpm
6d755e7a06ffc9448284b8c4eb740ea1 2008.0/i586/pidgin-2.6.6-0.1mdv2008.0.i586.rpm
832a2337f06dca86d03bd63700a0b6fc 2008.0/i586/pidgin-bonjour-2.6.6-0.1mdv2008.0.i586.rpm
4aae5ff624474b1a3ab1881fcaefa8a6 2008.0/i586/pidgin-client-2.6.6-0.1mdv2008.0.i586.rpm
7efd3e7f89696fee9bbe296a670e9df9 2008.0/i586/pidgin-gevolution-2.6.6-0.1mdv2008.0.i586.rpm
8f5738068a81d1ffe99d59899713d16a 2008.0/i586/pidgin-i18n-2.6.6-0.1mdv2008.0.i586.rpm
58a0e6335b9c96521f59c91a85345e01 2008.0/i586/pidgin-meanwhile-2.6.6-0.1mdv2008.0.i586.rpm
3ac4042242d37f433273ab51a1cb4c0b 2008.0/i586/pidgin-mono-2.6.6-0.1mdv2008.0.i586.rpm
6da48c44f958ffb67455d8f509666c10 2008.0/i586/pidgin-perl-2.6.6-0.1mdv2008.0.i586.rpm
e91b445d44e9f91a2ec01a810a4c38a8 2008.0/i586/pidgin-plugins-2.6.6-0.1mdv2008.0.i586.rpm
c8e71cea5a86ebcb8c7ed9d6dac24b6e 2008.0/i586/pidgin-silc-2.6.6-0.1mdv2008.0.i586.rpm
e7c31cba54af11f0edb6751bd7588020 2008.0/i586/pidgin-tcl-2.6.6-0.1mdv2008.0.i586.rpm
70ad21797df8b08cbfb58fc68eb4a8cf 2008.0/SRPMS/pidgin-2.6.6-0.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
c9e7f9564baccc6bc287efca970e38d5 2008.0/x86_64/finch-2.6.6-0.1mdv2008.0.x86_64.rpm
4fd49c393a4088afa297fe4a81ca65b3 2008.0/x86_64/lib64finch0-2.6.6-0.1mdv2008.0.x86_64.rpm
2b40ea32871b376e4dd73f49ec2a36d7 2008.0/x86_64/lib64purple0-2.6.6-0.1mdv2008.0.x86_64.rpm
05503a1c0b1bbd012f3189787e09f3e5 2008.0/x86_64/lib64purple-devel-2.6.6-0.1mdv2008.0.x86_64.rpm
e3d4bc963da791a4a5dc8045d31f0c54 2008.0/x86_64/pidgin-2.6.6-0.1mdv2008.0.x86_64.rpm
bcae488fe843bb895bba2ad5b18e86bc 2008.0/x86_64/pidgin-bonjour-2.6.6-0.1mdv2008.0.x86_64.rpm
e168b0d56e10dfe2c876702faa408f7e 2008.0/x86_64/pidgin-client-2.6.6-0.1mdv2008.0.x86_64.rpm
0715caa8f7089f61d33d92713b269324 2008.0/x86_64/pidgin-gevolution-2.6.6-0.1mdv2008.0.x86_64.rpm
5e951d56643525136acf0da0e5f7f21e 2008.0/x86_64/pidgin-i18n-2.6.6-0.1mdv2008.0.x86_64.rpm
11d8b84a808c378a20643b4804df07f9 2008.0/x86_64/pidgin-meanwhile-2.6.6-0.1mdv2008.0.x86_64.rpm
8363da50ff8fc2e1308f6cb4a0232a57 2008.0/x86_64/pidgin-mono-2.6.6-0.1mdv2008.0.x86_64.rpm
a9deb37c4c307cf813bd4e9b623ec887 2008.0/x86_64/pidgin-perl-2.6.6-0.1mdv2008.0.x86_64.rpm
212ed915b101ddcbbfbb6d16b3b2e16c 2008.0/x86_64/pidgin-plugins-2.6.6-0.1mdv2008.0.x86_64.rpm
3d844afe270123a03624936762f6d933 2008.0/x86_64/pidgin-silc-2.6.6-0.1mdv2008.0.x86_64.rpm
7c311ac8a7ceec13d4933a4840c2c3a9 2008.0/x86_64/pidgin-tcl-2.6.6-0.1mdv2008.0.x86_64.rpm
70ad21797df8b08cbfb58fc68eb4a8cf 2008.0/SRPMS/pidgin-2.6.6-0.1mdv2008.0.src.rpm
Mandriva Linux 2009.1:
cb7a40ecc6ae8dd5a35d16f892be6837 2009.1/i586/finch-2.6.6-0.1mdv2009.1.i586.rpm
82db17cb68dddce64cffb125da531871 2009.1/i586/libfinch0-2.6.6-0.1mdv2009.1.i586.rpm
5ed7e9c7503ec5a860bcb4a08a1dfc52 2009.1/i586/libpurple0-2.6.6-0.1mdv2009.1.i586.rpm
3c7e67bede967dc9a75e67f5ba0d4682 2009.1/i586/libpurple-devel-2.6.6-0.1mdv2009.1.i586.rpm
1c9490f205ef22d235c62ec8919eb9f5 2009.1/i586/pidgin-2.6.6-0.1mdv2009.1.i586.rpm
02a7a3b4f7c329a27445c27661ca1589 2009.1/i586/pidgin-bonjour-2.6.6-0.1mdv2009.1.i586.rpm
432ea2a9fb79a07e7490f6ab832613e7 2009.1/i586/pidgin-client-2.6.6-0.1mdv2009.1.i586.rpm
e31b2a2b667dacbdc918e8b5dbcff996 2009.1/i586/pidgin-gevolution-2.6.6-0.1mdv2009.1.i586.rpm
4b0c2b039dd58992507ca2f0bb801b22 2009.1/i586/pidgin-i18n-2.6.6-0.1mdv2009.1.i586.rpm
9e39513f6310f39999bb4645545fc5c7 2009.1/i586/pidgin-meanwhile-2.6.6-0.1mdv2009.1.i586.rpm
0e7787c636f4f30cba7ad4d863fb720c 2009.1/i586/pidgin-mono-2.6.6-0.1mdv2009.1.i586.rpm
2df8fbea4fa43b7cfbda29241614907f 2009.1/i586/pidgin-perl-2.6.6-0.1mdv2009.1.i586.rpm
ab2a3d17c627da8e0f445de8f6a1f371 2009.1/i586/pidgin-plugins-2.6.6-0.1mdv2009.1.i586.rpm
fed0dc5e71e51bda6e1c6e5dc4296883 2009.1/i586/pidgin-silc-2.6.6-0.1mdv2009.1.i586.rpm
010fe45d263e609656af0c3b5235d9a1 2009.1/i586/pidgin-tcl-2.6.6-0.1mdv2009.1.i586.rpm
1a90d8b3989e31ab9d1769b454de8a42 2009.1/SRPMS/pidgin-2.6.6-0.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
21abb5508ce03d26b88b942af4e14a4f 2009.1/x86_64/finch-2.6.6-0.1mdv2009.1.x86_64.rpm
c308a1b01304d63cd58dbabcab49119b 2009.1/x86_64/lib64finch0-2.6.6-0.1mdv2009.1.x86_64.rpm
cf0c32085702b936a1f69e1caa6e2dcc 2009.1/x86_64/lib64purple0-2.6.6-0.1mdv2009.1.x86_64.rpm
232104e2b9bb0c66aa774f365a45b2ad 2009.1/x86_64/lib64purple-devel-2.6.6-0.1mdv2009.1.x86_64.rpm
8043caea0b17e2de041c4ae0465d90ea 2009.1/x86_64/pidgin-2.6.6-0.1mdv2009.1.x86_64.rpm
0f6c55a69562a532b1100670571c3b26 2009.1/x86_64/pidgin-bonjour-2.6.6-0.1mdv2009.1.x86_64.rpm
c09462c1ef04b6ddc0223a02ccdb166f 2009.1/x86_64/pidgin-client-2.6.6-0.1mdv2009.1.x86_64.rpm
6ac732d589d33f7181ea8dadbfd9942e 2009.1/x86_64/pidgin-gevolution-2.6.6-0.1mdv2009.1.x86_64.rpm
0fa53c5e0337129d90d774726dee4125 2009.1/x86_64/pidgin-i18n-2.6.6-0.1mdv2009.1.x86_64.rpm
93457954dbd33a99f42bad1a0a98c109 2009.1/x86_64/pidgin-meanwhile-2.6.6-0.1mdv2009.1.x86_64.rpm
05fecf234348f4d4397fc2e48f1be04e 2009.1/x86_64/pidgin-mono-2.6.6-0.1mdv2009.1.x86_64.rpm
033f93c6dc9298e5f3dc0fa89c587b9b 2009.1/x86_64/pidgin-perl-2.6.6-0.1mdv2009.1.x86_64.rpm
664e601cd561b106c0a158a648492528 2009.1/x86_64/pidgin-plugins-2.6.6-0.1mdv2009.1.x86_64.rpm
95ed0f1bfd9baba0e23cb0c50d3757b7 2009.1/x86_64/pidgin-silc-2.6.6-0.1mdv2009.1.x86_64.rpm
52828745a279468c82975af28a385151 2009.1/x86_64/pidgin-tcl-2.6.6-0.1mdv2009.1.x86_64.rpm
1a90d8b3989e31ab9d1769b454de8a42 2009.1/SRPMS/pidgin-2.6.6-0.1mdv2009.1.src.rpm
Mandriva Linux 2010.0:
1c29f9d4c4f6f4cfbc0944bceeb6668b 2010.0/i586/finch-2.6.6-0.1mdv2010.0.i586.rpm
29bfd28b9aea472156e5a9de553bc1b7 2010.0/i586/libfinch0-2.6.6-0.1mdv2010.0.i586.rpm
496a494ab167a8bfb6dee5928e5b34e1 2010.0/i586/libpurple0-2.6.6-0.1mdv2010.0.i586.rpm
6b0f5a9b3baa507fceab913a4f048047 2010.0/i586/libpurple-devel-2.6.6-0.1mdv2010.0.i586.rpm
385680fa424f34569f8c0c6f3dee4f4a 2010.0/i586/pidgin-2.6.6-0.1mdv2010.0.i586.rpm
c07570c72eb5679964a16e40328f78cc 2010.0/i586/pidgin-bonjour-2.6.6-0.1mdv2010.0.i586.rpm
bed045f942b8581a8f218070eab86dd0 2010.0/i586/pidgin-client-2.6.6-0.1mdv2010.0.i586.rpm
50c4dacdb01d054ab5e0b80309704cb7 2010.0/i586/pidgin-gevolution-2.6.6-0.1mdv2010.0.i586.rpm
ab3939b75120e531e60e312a385533ff 2010.0/i586/pidgin-i18n-2.6.6-0.1mdv2010.0.i586.rpm
149b333453e1126a3b4641e19906c88f 2010.0/i586/pidgin-meanwhile-2.6.6-0.1mdv2010.0.i586.rpm
29d5d75e9d84ada8fb82ce176f782226 2010.0/i586/pidgin-mono-2.6.6-0.1mdv2010.0.i586.rpm
01443fc929ffd95481bae32ad4399819 2010.0/i586/pidgin-perl-2.6.6-0.1mdv2010.0.i586.rpm
84781f1d515702edad903793a867fd23 2010.0/i586/pidgin-plugins-2.6.6-0.1mdv2010.0.i586.rpm
3c1828e4cde8c0c36cdc6b242642d3a8 2010.0/i586/pidgin-silc-2.6.6-0.1mdv2010.0.i586.rpm
cfb8a979ecb4af00249c9ea1586ba43b 2010.0/i586/pidgin-tcl-2.6.6-0.1mdv2010.0.i586.rpm
179fe3c8d4d38eadee60cbfb51aeb19c 2010.0/SRPMS/pidgin-2.6.6-0.1mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
6eaad34c716bbdd7fa01c5feed445f76 2010.0/x86_64/finch-2.6.6-0.1mdv2010.0.x86_64.rpm
ab025b0de4c4a7d8047309c2d94ce0c0 2010.0/x86_64/lib64finch0-2.6.6-0.1mdv2010.0.x86_64.rpm
ff08767b311b4cd0fae4b756a86c4787 2010.0/x86_64/lib64purple0-2.6.6-0.1mdv2010.0.x86_64.rpm
ca65fc197deb32c6e8b05c67c457c66b 2010.0/x86_64/lib64purple-devel-2.6.6-0.1mdv2010.0.x86_64.rpm
32dd77d13f9d18480a44d9e711e6fe53 2010.0/x86_64/pidgin-2.6.6-0.1mdv2010.0.x86_64.rpm
169a880508c91e1a4444c546776fcd00 2010.0/x86_64/pidgin-bonjour-2.6.6-0.1mdv2010.0.x86_64.rpm
6bcdf650c31b3092992e943e7b2aa070 2010.0/x86_64/pidgin-client-2.6.6-0.1mdv2010.0.x86_64.rpm
2afdef1f1fc09373856b65d7f71e8621 2010.0/x86_64/pidgin-gevolution-2.6.6-0.1mdv2010.0.x86_64.rpm
6a4a9fb474d69168216e72331ad6ad9c 2010.0/x86_64/pidgin-i18n-2.6.6-0.1mdv2010.0.x86_64.rpm
7edfcfbe7a2ce9a6b01232558f641ec7 2010.0/x86_64/pidgin-meanwhile-2.6.6-0.1mdv2010.0.x86_64.rpm
ec35aac66e974579e06fbb6057a6df31 2010.0/x86_64/pidgin-mono-2.6.6-0.1mdv2010.0.x86_64.rpm
20e61a99135d61b0deb910648b78923e 2010.0/x86_64/pidgin-perl-2.6.6-0.1mdv2010.0.x86_64.rpm
ae9cdc960d4edc6c8bc1854250203036 2010.0/x86_64/pidgin-plugins-2.6.6-0.1mdv2010.0.x86_64.rpm
b80ea4263b63cfc34dd4009ee362090b 2010.0/x86_64/pidgin-silc-2.6.6-0.1mdv2010.0.x86_64.rpm
3d3ade5b5518b513edc78d1b12a4073c 2010.0/x86_64/pidgin-tcl-2.6.6-0.1mdv2010.0.x86_64.rpm
179fe3c8d4d38eadee60cbfb51aeb19c 2010.0/SRPMS/pidgin-2.6.6-0.1mdv2010.0.src.rpm
Mandriva Enterprise Server 5:
149dcd26bf531e6ee3e75b3eccc0b9ba mes5/i586/finch-2.6.6-0.1mdvmes5.i586.rpm
1a10b71c66ed39bdd40846721fb0a87b mes5/i586/libfinch0-2.6.6-0.1mdvmes5.i586.rpm
6929c7486d4d242eb4c1bb3c11d2a945 mes5/i586/libpurple0-2.6.6-0.1mdvmes5.i586.rpm
1d2539414922b39bc00b62755ddaa816 mes5/i586/libpurple-devel-2.6.6-0.1mdvmes5.i586.rpm
732cba3fd4e87cd9b8b619c5c69ab992 mes5/i586/pidgin-2.6.6-0.1mdvmes5.i586.rpm
9fd465a4f8fac859c99866105f7b8ca6 mes5/i586/pidgin-bonjour-2.6.6-0.1mdvmes5.i586.rpm
cc9df9d83f6d502be50ab878fb59548a mes5/i586/pidgin-client-2.6.6-0.1mdvmes5.i586.rpm
83e99b56360e08fd571073c73c1e90b1 mes5/i586/pidgin-gevolution-2.6.6-0.1mdvmes5.i586.rpm
c19131aa4670612f77df7fefa0075832 mes5/i586/pidgin-i18n-2.6.6-0.1mdvmes5.i586.rpm
b1102c9ae4445baf526c6c146300f5c2 mes5/i586/pidgin-meanwhile-2.6.6-0.1mdvmes5.i586.rpm
97a7683edc25e5d4e1291086e882db52 mes5/i586/pidgin-mono-2.6.6-0.1mdvmes5.i586.rpm
b456b539f96ddf35cb06ce8d0ffc1c13 mes5/i586/pidgin-perl-2.6.6-0.1mdvmes5.i586.rpm
494d4e499b6b3edd278d24051d844eaf mes5/i586/pidgin-plugins-2.6.6-0.1mdvmes5.i586.rpm
a3bde2acd56c097262e2e82b6dad619d mes5/i586/pidgin-silc-2.6.6-0.1mdvmes5.i586.rpm
250a49eb240275dbda69c9c4b6914590 mes5/i586/pidgin-tcl-2.6.6-0.1mdvmes5.i586.rpm
267308510863ca64bb333f71467e7bd9 mes5/SRPMS/pidgin-2.6.6-0.1mdvmes5.src.rpm
Mandriva Enterprise Server 5/X86_64:
8d64ee79b213c13c19a4198841a144ac mes5/x86_64/finch-2.6.6-0.1mdvmes5.x86_64.rpm
5c433ebf35e04e8d6de964137dc276dd mes5/x86_64/lib64finch0-2.6.6-0.1mdvmes5.x86_64.rpm
7cc32a1bb4ebe61b0723f94658a45ae1 mes5/x86_64/lib64purple0-2.6.6-0.1mdvmes5.x86_64.rpm
2d427370e582eb2709b1b3f50b54a364 mes5/x86_64/lib64purple-devel-2.6.6-0.1mdvmes5.x86_64.rpm
db09b8debee6cca9ebbd66fa2d12ec47 mes5/x86_64/pidgin-2.6.6-0.1mdvmes5.x86_64.rpm
bcc51f21decc8447069faa3c1f8563c2 mes5/x86_64/pidgin-bonjour-2.6.6-0.1mdvmes5.x86_64.rpm
5e368dec9bccac6530c79855892c8a45 mes5/x86_64/pidgin-client-2.6.6-0.1mdvmes5.x86_64.rpm
d068b236e3e33274d32ccf911d07ae27 mes5/x86_64/pidgin-gevolution-2.6.6-0.1mdvmes5.x86_64.rpm
14542696ab4124d542435f2d09f1b8e2 mes5/x86_64/pidgin-i18n-2.6.6-0.1mdvmes5.x86_64.rpm
1abe031c7d81ef8e3744ccac89e085f8 mes5/x86_64/pidgin-meanwhile-2.6.6-0.1mdvmes5.x86_64.rpm
fe6d09ae59b3afb8d6154411d2274ad8 mes5/x86_64/pidgin-mono-2.6.6-0.1mdvmes5.x86_64.rpm
0cafc627ab6efa449cd1857c9032de68 mes5/x86_64/pidgin-perl-2.6.6-0.1mdvmes5.x86_64.rpm
650f4c48dafe08cca128ff1410c7c919 mes5/x86_64/pidgin-plugins-2.6.6-0.1mdvmes5.x86_64.rpm
fd78039daafeb41f2356a3e617f37c08 mes5/x86_64/pidgin-silc-2.6.6-0.1mdvmes5.x86_64.rpm
afb6b2d287d4df27e845fbbb0331052d mes5/x86_64/pidgin-tcl-2.6.6-0.1mdvmes5.x86_64.rpm
267308510863ca64bb333f71467e7bd9 mes5/SRPMS/pidgin-2.6.6-0.1mdvmes5.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFLfSUHmqjQ0CJFipgRAttGAKCxQbsdGtNK2rs9RMbLQmhz2UM69wCg32zV
vL0qCU2xlQDncxOIar1eKrI=
=vJpo
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists