[gentoo-announce] [ GLSA 200901-13 ] Pidgin: Multiple vulnerabilities

[news 28]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Gentoo Linux Security Advisory GLSA 200901-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

http://security.gentoo.org/

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Severity: Normal

Title: Pidgin: Multiple vulnerabilities

Date: January 20, 2009

Bugs: #230045, #234135

ID: 200901-13

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Synopsis

========

 

Multiple vulnerabilities have been discovered in Pidgin, allowing for

remote arbitrary code execution, Denial of Service and service

spoofing.

 

Background

==========

 

Pidgin (formerly Gaim) is an instant messaging client for a variety of

instant messaging protocols. It is based on the libpurple instant

messaging library.

 

Affected packages

=================

 

-------------------------------------------------------------------

Package / Vulnerable / Unaffected

-------------------------------------------------------------------

1 net-im/pidgin < 2.5.1 >= 2.5.1

 

Description

===========

 

Multiple vulnerabilities have been discovered in Pidgin and the

libpurple library:

 

* A participant to the TippingPoint ZDI reported multiple integer

overflows in the msn_slplink_process_msg() function in the MSN

protocol implementation (CVE-2008-2927).

 

* Juan Pablo Lopez Yacubian is credited for reporting a

use-after-free flaw in msn_slplink_process_msg() in the MSN protocol

implementation (CVE-2008-2955).

 

* The included UPnP server does not limit the size of data to be

downloaded for UPnP service discovery, according to a report by

Andrew Hunt and Christian Grothoff (CVE-2008-2957).

 

* Josh Triplett discovered that the NSS plugin for libpurple does not

properly verify SSL certificates (CVE-2008-3532).

 

Impact

======

 

A remote attacker could send specially crafted messages or files using

the MSN protocol which could result in the execution of arbitrary code

or crash Pidgin. NOTE: Successful exploitation might require the

victim's interaction. Furthermore, an attacker could conduct

man-in-the-middle attacks to obtain sensitive information using bad

certificates and cause memory and disk resources to exhaust.

 

Workaround

==========

 

There is no known workaround at this time.

 

Resolution

==========

 

All Pidgin users should upgrade to the latest version:

 

# emerge --sync

# emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.1"

 

References

==========

 

[ 1 ] CVE-2008-2927

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927

[ 2 ] CVE-2008-2955

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955

[ 3 ] CVE-2008-2957

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957

[ 4 ] CVE-2008-3532

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532

 

Availability

============

 

This GLSA and any updates to it are available for viewing at

the Gentoo Security Website:

 

http://security.gentoo.org/glsa/glsa-200901-13.xml

 

Concerns?

=========

 

Security is a primary focus of Gentoo Linux and ensuring the

confidentiality and security of our users machines is of utmost

importance to us. Any security concerns should be addressed to

security ( -at -) gentoo.org or alternatively, you may file a bug at

http://bugs.gentoo.org.

 

License

=======

 

Copyright 2009 Gentoo Foundation, Inc; referenced text

belongs to its owner(s).

 

The contents of this document are licensed under the

Creative Commons - Attribution / Share Alike license.

 

http://creativecommons.org/licenses/by-sa/2.5