lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Ni7ci-0006Wa-HP@titan.mandriva.com>
Date: Thu, 18 Feb 2010 15:45:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:041 ] pidgin


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:041
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : February 18, 2010
 Affected: 2008.0, 2009.1, 2010.0, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple security vulnerabilities has been identified and fixed
 in pidgin:
 
 Certain malformed SLP messages can trigger a crash because the MSN
 protocol plugin fails to check that all pieces of the message are
 set correctly (CVE-2010-0277).
 
 In a user in a multi-user chat room has a nickname containing '<br>'
 then libpurple ends up having two users with username ' ' in the room,
 and Finch crashes in this situation. We do not believe there is a
 possibility of remote code execution (CVE-2010-0420).
 
 oCERT notified us about a problem in Pidgin, where a large amount of
 processing time will be used when inserting many smileys into an IM
 or chat window. This should not cause a crash, but Pidgin can become
 unusable slow (CVE-2010-0423).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 This update provides pidgin 2.6.6, which is not vulnerable to these
 issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423
 http://pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 7b6b149b6d3b66ac216ffdb39366d122  2008.0/i586/finch-2.6.6-0.1mdv2008.0.i586.rpm
 f8ef6b0bfb06eb0617fe0056b61838fc  2008.0/i586/libfinch0-2.6.6-0.1mdv2008.0.i586.rpm
 c9f08705a68c551450888cbd383f8e56  2008.0/i586/libpurple0-2.6.6-0.1mdv2008.0.i586.rpm
 fbfd67f6c3e9f70d3f6f67bbec3bb4aa  2008.0/i586/libpurple-devel-2.6.6-0.1mdv2008.0.i586.rpm
 6d755e7a06ffc9448284b8c4eb740ea1  2008.0/i586/pidgin-2.6.6-0.1mdv2008.0.i586.rpm
 832a2337f06dca86d03bd63700a0b6fc  2008.0/i586/pidgin-bonjour-2.6.6-0.1mdv2008.0.i586.rpm
 4aae5ff624474b1a3ab1881fcaefa8a6  2008.0/i586/pidgin-client-2.6.6-0.1mdv2008.0.i586.rpm
 7efd3e7f89696fee9bbe296a670e9df9  2008.0/i586/pidgin-gevolution-2.6.6-0.1mdv2008.0.i586.rpm
 8f5738068a81d1ffe99d59899713d16a  2008.0/i586/pidgin-i18n-2.6.6-0.1mdv2008.0.i586.rpm
 58a0e6335b9c96521f59c91a85345e01  2008.0/i586/pidgin-meanwhile-2.6.6-0.1mdv2008.0.i586.rpm
 3ac4042242d37f433273ab51a1cb4c0b  2008.0/i586/pidgin-mono-2.6.6-0.1mdv2008.0.i586.rpm
 6da48c44f958ffb67455d8f509666c10  2008.0/i586/pidgin-perl-2.6.6-0.1mdv2008.0.i586.rpm
 e91b445d44e9f91a2ec01a810a4c38a8  2008.0/i586/pidgin-plugins-2.6.6-0.1mdv2008.0.i586.rpm
 c8e71cea5a86ebcb8c7ed9d6dac24b6e  2008.0/i586/pidgin-silc-2.6.6-0.1mdv2008.0.i586.rpm
 e7c31cba54af11f0edb6751bd7588020  2008.0/i586/pidgin-tcl-2.6.6-0.1mdv2008.0.i586.rpm 
 70ad21797df8b08cbfb58fc68eb4a8cf  2008.0/SRPMS/pidgin-2.6.6-0.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 c9e7f9564baccc6bc287efca970e38d5  2008.0/x86_64/finch-2.6.6-0.1mdv2008.0.x86_64.rpm
 4fd49c393a4088afa297fe4a81ca65b3  2008.0/x86_64/lib64finch0-2.6.6-0.1mdv2008.0.x86_64.rpm
 2b40ea32871b376e4dd73f49ec2a36d7  2008.0/x86_64/lib64purple0-2.6.6-0.1mdv2008.0.x86_64.rpm
 05503a1c0b1bbd012f3189787e09f3e5  2008.0/x86_64/lib64purple-devel-2.6.6-0.1mdv2008.0.x86_64.rpm
 e3d4bc963da791a4a5dc8045d31f0c54  2008.0/x86_64/pidgin-2.6.6-0.1mdv2008.0.x86_64.rpm
 bcae488fe843bb895bba2ad5b18e86bc  2008.0/x86_64/pidgin-bonjour-2.6.6-0.1mdv2008.0.x86_64.rpm
 e168b0d56e10dfe2c876702faa408f7e  2008.0/x86_64/pidgin-client-2.6.6-0.1mdv2008.0.x86_64.rpm
 0715caa8f7089f61d33d92713b269324  2008.0/x86_64/pidgin-gevolution-2.6.6-0.1mdv2008.0.x86_64.rpm
 5e951d56643525136acf0da0e5f7f21e  2008.0/x86_64/pidgin-i18n-2.6.6-0.1mdv2008.0.x86_64.rpm
 11d8b84a808c378a20643b4804df07f9  2008.0/x86_64/pidgin-meanwhile-2.6.6-0.1mdv2008.0.x86_64.rpm
 8363da50ff8fc2e1308f6cb4a0232a57  2008.0/x86_64/pidgin-mono-2.6.6-0.1mdv2008.0.x86_64.rpm
 a9deb37c4c307cf813bd4e9b623ec887  2008.0/x86_64/pidgin-perl-2.6.6-0.1mdv2008.0.x86_64.rpm
 212ed915b101ddcbbfbb6d16b3b2e16c  2008.0/x86_64/pidgin-plugins-2.6.6-0.1mdv2008.0.x86_64.rpm
 3d844afe270123a03624936762f6d933  2008.0/x86_64/pidgin-silc-2.6.6-0.1mdv2008.0.x86_64.rpm
 7c311ac8a7ceec13d4933a4840c2c3a9  2008.0/x86_64/pidgin-tcl-2.6.6-0.1mdv2008.0.x86_64.rpm 
 70ad21797df8b08cbfb58fc68eb4a8cf  2008.0/SRPMS/pidgin-2.6.6-0.1mdv2008.0.src.rpm

 Mandriva Linux 2009.1:
 cb7a40ecc6ae8dd5a35d16f892be6837  2009.1/i586/finch-2.6.6-0.1mdv2009.1.i586.rpm
 82db17cb68dddce64cffb125da531871  2009.1/i586/libfinch0-2.6.6-0.1mdv2009.1.i586.rpm
 5ed7e9c7503ec5a860bcb4a08a1dfc52  2009.1/i586/libpurple0-2.6.6-0.1mdv2009.1.i586.rpm
 3c7e67bede967dc9a75e67f5ba0d4682  2009.1/i586/libpurple-devel-2.6.6-0.1mdv2009.1.i586.rpm
 1c9490f205ef22d235c62ec8919eb9f5  2009.1/i586/pidgin-2.6.6-0.1mdv2009.1.i586.rpm
 02a7a3b4f7c329a27445c27661ca1589  2009.1/i586/pidgin-bonjour-2.6.6-0.1mdv2009.1.i586.rpm
 432ea2a9fb79a07e7490f6ab832613e7  2009.1/i586/pidgin-client-2.6.6-0.1mdv2009.1.i586.rpm
 e31b2a2b667dacbdc918e8b5dbcff996  2009.1/i586/pidgin-gevolution-2.6.6-0.1mdv2009.1.i586.rpm
 4b0c2b039dd58992507ca2f0bb801b22  2009.1/i586/pidgin-i18n-2.6.6-0.1mdv2009.1.i586.rpm
 9e39513f6310f39999bb4645545fc5c7  2009.1/i586/pidgin-meanwhile-2.6.6-0.1mdv2009.1.i586.rpm
 0e7787c636f4f30cba7ad4d863fb720c  2009.1/i586/pidgin-mono-2.6.6-0.1mdv2009.1.i586.rpm
 2df8fbea4fa43b7cfbda29241614907f  2009.1/i586/pidgin-perl-2.6.6-0.1mdv2009.1.i586.rpm
 ab2a3d17c627da8e0f445de8f6a1f371  2009.1/i586/pidgin-plugins-2.6.6-0.1mdv2009.1.i586.rpm
 fed0dc5e71e51bda6e1c6e5dc4296883  2009.1/i586/pidgin-silc-2.6.6-0.1mdv2009.1.i586.rpm
 010fe45d263e609656af0c3b5235d9a1  2009.1/i586/pidgin-tcl-2.6.6-0.1mdv2009.1.i586.rpm 
 1a90d8b3989e31ab9d1769b454de8a42  2009.1/SRPMS/pidgin-2.6.6-0.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 21abb5508ce03d26b88b942af4e14a4f  2009.1/x86_64/finch-2.6.6-0.1mdv2009.1.x86_64.rpm
 c308a1b01304d63cd58dbabcab49119b  2009.1/x86_64/lib64finch0-2.6.6-0.1mdv2009.1.x86_64.rpm
 cf0c32085702b936a1f69e1caa6e2dcc  2009.1/x86_64/lib64purple0-2.6.6-0.1mdv2009.1.x86_64.rpm
 232104e2b9bb0c66aa774f365a45b2ad  2009.1/x86_64/lib64purple-devel-2.6.6-0.1mdv2009.1.x86_64.rpm
 8043caea0b17e2de041c4ae0465d90ea  2009.1/x86_64/pidgin-2.6.6-0.1mdv2009.1.x86_64.rpm
 0f6c55a69562a532b1100670571c3b26  2009.1/x86_64/pidgin-bonjour-2.6.6-0.1mdv2009.1.x86_64.rpm
 c09462c1ef04b6ddc0223a02ccdb166f  2009.1/x86_64/pidgin-client-2.6.6-0.1mdv2009.1.x86_64.rpm
 6ac732d589d33f7181ea8dadbfd9942e  2009.1/x86_64/pidgin-gevolution-2.6.6-0.1mdv2009.1.x86_64.rpm
 0fa53c5e0337129d90d774726dee4125  2009.1/x86_64/pidgin-i18n-2.6.6-0.1mdv2009.1.x86_64.rpm
 93457954dbd33a99f42bad1a0a98c109  2009.1/x86_64/pidgin-meanwhile-2.6.6-0.1mdv2009.1.x86_64.rpm
 05fecf234348f4d4397fc2e48f1be04e  2009.1/x86_64/pidgin-mono-2.6.6-0.1mdv2009.1.x86_64.rpm
 033f93c6dc9298e5f3dc0fa89c587b9b  2009.1/x86_64/pidgin-perl-2.6.6-0.1mdv2009.1.x86_64.rpm
 664e601cd561b106c0a158a648492528  2009.1/x86_64/pidgin-plugins-2.6.6-0.1mdv2009.1.x86_64.rpm
 95ed0f1bfd9baba0e23cb0c50d3757b7  2009.1/x86_64/pidgin-silc-2.6.6-0.1mdv2009.1.x86_64.rpm
 52828745a279468c82975af28a385151  2009.1/x86_64/pidgin-tcl-2.6.6-0.1mdv2009.1.x86_64.rpm 
 1a90d8b3989e31ab9d1769b454de8a42  2009.1/SRPMS/pidgin-2.6.6-0.1mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 1c29f9d4c4f6f4cfbc0944bceeb6668b  2010.0/i586/finch-2.6.6-0.1mdv2010.0.i586.rpm
 29bfd28b9aea472156e5a9de553bc1b7  2010.0/i586/libfinch0-2.6.6-0.1mdv2010.0.i586.rpm
 496a494ab167a8bfb6dee5928e5b34e1  2010.0/i586/libpurple0-2.6.6-0.1mdv2010.0.i586.rpm
 6b0f5a9b3baa507fceab913a4f048047  2010.0/i586/libpurple-devel-2.6.6-0.1mdv2010.0.i586.rpm
 385680fa424f34569f8c0c6f3dee4f4a  2010.0/i586/pidgin-2.6.6-0.1mdv2010.0.i586.rpm
 c07570c72eb5679964a16e40328f78cc  2010.0/i586/pidgin-bonjour-2.6.6-0.1mdv2010.0.i586.rpm
 bed045f942b8581a8f218070eab86dd0  2010.0/i586/pidgin-client-2.6.6-0.1mdv2010.0.i586.rpm
 50c4dacdb01d054ab5e0b80309704cb7  2010.0/i586/pidgin-gevolution-2.6.6-0.1mdv2010.0.i586.rpm
 ab3939b75120e531e60e312a385533ff  2010.0/i586/pidgin-i18n-2.6.6-0.1mdv2010.0.i586.rpm
 149b333453e1126a3b4641e19906c88f  2010.0/i586/pidgin-meanwhile-2.6.6-0.1mdv2010.0.i586.rpm
 29d5d75e9d84ada8fb82ce176f782226  2010.0/i586/pidgin-mono-2.6.6-0.1mdv2010.0.i586.rpm
 01443fc929ffd95481bae32ad4399819  2010.0/i586/pidgin-perl-2.6.6-0.1mdv2010.0.i586.rpm
 84781f1d515702edad903793a867fd23  2010.0/i586/pidgin-plugins-2.6.6-0.1mdv2010.0.i586.rpm
 3c1828e4cde8c0c36cdc6b242642d3a8  2010.0/i586/pidgin-silc-2.6.6-0.1mdv2010.0.i586.rpm
 cfb8a979ecb4af00249c9ea1586ba43b  2010.0/i586/pidgin-tcl-2.6.6-0.1mdv2010.0.i586.rpm 
 179fe3c8d4d38eadee60cbfb51aeb19c  2010.0/SRPMS/pidgin-2.6.6-0.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 6eaad34c716bbdd7fa01c5feed445f76  2010.0/x86_64/finch-2.6.6-0.1mdv2010.0.x86_64.rpm
 ab025b0de4c4a7d8047309c2d94ce0c0  2010.0/x86_64/lib64finch0-2.6.6-0.1mdv2010.0.x86_64.rpm
 ff08767b311b4cd0fae4b756a86c4787  2010.0/x86_64/lib64purple0-2.6.6-0.1mdv2010.0.x86_64.rpm
 ca65fc197deb32c6e8b05c67c457c66b  2010.0/x86_64/lib64purple-devel-2.6.6-0.1mdv2010.0.x86_64.rpm
 32dd77d13f9d18480a44d9e711e6fe53  2010.0/x86_64/pidgin-2.6.6-0.1mdv2010.0.x86_64.rpm
 169a880508c91e1a4444c546776fcd00  2010.0/x86_64/pidgin-bonjour-2.6.6-0.1mdv2010.0.x86_64.rpm
 6bcdf650c31b3092992e943e7b2aa070  2010.0/x86_64/pidgin-client-2.6.6-0.1mdv2010.0.x86_64.rpm
 2afdef1f1fc09373856b65d7f71e8621  2010.0/x86_64/pidgin-gevolution-2.6.6-0.1mdv2010.0.x86_64.rpm
 6a4a9fb474d69168216e72331ad6ad9c  2010.0/x86_64/pidgin-i18n-2.6.6-0.1mdv2010.0.x86_64.rpm
 7edfcfbe7a2ce9a6b01232558f641ec7  2010.0/x86_64/pidgin-meanwhile-2.6.6-0.1mdv2010.0.x86_64.rpm
 ec35aac66e974579e06fbb6057a6df31  2010.0/x86_64/pidgin-mono-2.6.6-0.1mdv2010.0.x86_64.rpm
 20e61a99135d61b0deb910648b78923e  2010.0/x86_64/pidgin-perl-2.6.6-0.1mdv2010.0.x86_64.rpm
 ae9cdc960d4edc6c8bc1854250203036  2010.0/x86_64/pidgin-plugins-2.6.6-0.1mdv2010.0.x86_64.rpm
 b80ea4263b63cfc34dd4009ee362090b  2010.0/x86_64/pidgin-silc-2.6.6-0.1mdv2010.0.x86_64.rpm
 3d3ade5b5518b513edc78d1b12a4073c  2010.0/x86_64/pidgin-tcl-2.6.6-0.1mdv2010.0.x86_64.rpm 
 179fe3c8d4d38eadee60cbfb51aeb19c  2010.0/SRPMS/pidgin-2.6.6-0.1mdv2010.0.src.rpm

 Mandriva Enterprise Server 5:
 149dcd26bf531e6ee3e75b3eccc0b9ba  mes5/i586/finch-2.6.6-0.1mdvmes5.i586.rpm
 1a10b71c66ed39bdd40846721fb0a87b  mes5/i586/libfinch0-2.6.6-0.1mdvmes5.i586.rpm
 6929c7486d4d242eb4c1bb3c11d2a945  mes5/i586/libpurple0-2.6.6-0.1mdvmes5.i586.rpm
 1d2539414922b39bc00b62755ddaa816  mes5/i586/libpurple-devel-2.6.6-0.1mdvmes5.i586.rpm
 732cba3fd4e87cd9b8b619c5c69ab992  mes5/i586/pidgin-2.6.6-0.1mdvmes5.i586.rpm
 9fd465a4f8fac859c99866105f7b8ca6  mes5/i586/pidgin-bonjour-2.6.6-0.1mdvmes5.i586.rpm
 cc9df9d83f6d502be50ab878fb59548a  mes5/i586/pidgin-client-2.6.6-0.1mdvmes5.i586.rpm
 83e99b56360e08fd571073c73c1e90b1  mes5/i586/pidgin-gevolution-2.6.6-0.1mdvmes5.i586.rpm
 c19131aa4670612f77df7fefa0075832  mes5/i586/pidgin-i18n-2.6.6-0.1mdvmes5.i586.rpm
 b1102c9ae4445baf526c6c146300f5c2  mes5/i586/pidgin-meanwhile-2.6.6-0.1mdvmes5.i586.rpm
 97a7683edc25e5d4e1291086e882db52  mes5/i586/pidgin-mono-2.6.6-0.1mdvmes5.i586.rpm
 b456b539f96ddf35cb06ce8d0ffc1c13  mes5/i586/pidgin-perl-2.6.6-0.1mdvmes5.i586.rpm
 494d4e499b6b3edd278d24051d844eaf  mes5/i586/pidgin-plugins-2.6.6-0.1mdvmes5.i586.rpm
 a3bde2acd56c097262e2e82b6dad619d  mes5/i586/pidgin-silc-2.6.6-0.1mdvmes5.i586.rpm
 250a49eb240275dbda69c9c4b6914590  mes5/i586/pidgin-tcl-2.6.6-0.1mdvmes5.i586.rpm 
 267308510863ca64bb333f71467e7bd9  mes5/SRPMS/pidgin-2.6.6-0.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 8d64ee79b213c13c19a4198841a144ac  mes5/x86_64/finch-2.6.6-0.1mdvmes5.x86_64.rpm
 5c433ebf35e04e8d6de964137dc276dd  mes5/x86_64/lib64finch0-2.6.6-0.1mdvmes5.x86_64.rpm
 7cc32a1bb4ebe61b0723f94658a45ae1  mes5/x86_64/lib64purple0-2.6.6-0.1mdvmes5.x86_64.rpm
 2d427370e582eb2709b1b3f50b54a364  mes5/x86_64/lib64purple-devel-2.6.6-0.1mdvmes5.x86_64.rpm
 db09b8debee6cca9ebbd66fa2d12ec47  mes5/x86_64/pidgin-2.6.6-0.1mdvmes5.x86_64.rpm
 bcc51f21decc8447069faa3c1f8563c2  mes5/x86_64/pidgin-bonjour-2.6.6-0.1mdvmes5.x86_64.rpm
 5e368dec9bccac6530c79855892c8a45  mes5/x86_64/pidgin-client-2.6.6-0.1mdvmes5.x86_64.rpm
 d068b236e3e33274d32ccf911d07ae27  mes5/x86_64/pidgin-gevolution-2.6.6-0.1mdvmes5.x86_64.rpm
 14542696ab4124d542435f2d09f1b8e2  mes5/x86_64/pidgin-i18n-2.6.6-0.1mdvmes5.x86_64.rpm
 1abe031c7d81ef8e3744ccac89e085f8  mes5/x86_64/pidgin-meanwhile-2.6.6-0.1mdvmes5.x86_64.rpm
 fe6d09ae59b3afb8d6154411d2274ad8  mes5/x86_64/pidgin-mono-2.6.6-0.1mdvmes5.x86_64.rpm
 0cafc627ab6efa449cd1857c9032de68  mes5/x86_64/pidgin-perl-2.6.6-0.1mdvmes5.x86_64.rpm
 650f4c48dafe08cca128ff1410c7c919  mes5/x86_64/pidgin-plugins-2.6.6-0.1mdvmes5.x86_64.rpm
 fd78039daafeb41f2356a3e617f37c08  mes5/x86_64/pidgin-silc-2.6.6-0.1mdvmes5.x86_64.rpm
 afb6b2d287d4df27e845fbbb0331052d  mes5/x86_64/pidgin-tcl-2.6.6-0.1mdvmes5.x86_64.rpm 
 267308510863ca64bb333f71467e7bd9  mes5/SRPMS/pidgin-2.6.6-0.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLfSUHmqjQ0CJFipgRAttGAKCxQbsdGtNK2rs9RMbLQmhz2UM69wCg32zV
vL0qCU2xlQDncxOIar1eKrI=
=vJpo
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ