Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[Security Announce] [ MDVSA-2009:230 ] pidgin

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

This is a multi-part message in MIME format...

 

------------=_1252684653-13155-1481

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

_______________________________________________________________________

 

Mandriva Linux Security Advisory MDVSA-2009:230

http://www.mandriva.com/security/

_______________________________________________________________________

 

Package : pidgin

Date : September 11, 2009

Affected: 2009.0, 2009.1, Enterprise Server 5.0

_______________________________________________________________________

 

Problem Description:

 

Security vulnerabilities has been identified and fixed in pidgin:

 

The msn_slplink_process_msg function in

libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin

(formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows

remote attackers to execute arbitrary code or cause a denial of service

(memory corruption and application crash) by sending multiple crafted

SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary

memory location. NOTE: this issue reportedly exists because of an

incomplete fix for CVE-2009-1376 (CVE-2009-2694).

 

Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers

to cause a denial of service (crash) via a link in a Yahoo IM

(CVE-2009-3025)

 

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly

other versions, does not follow the require TLS/SSL preference

when connecting to older Jabber servers that do not follow the XMPP

specification, which causes libpurple to connect to the server without

the expected encryption and allows remote attackers to sniff sessions

(CVE-2009-3026).

 

libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple

in Pidgin before 2.6.2 allows remote IRC servers to cause a denial

of service (NULL pointer dereference and application crash) via a

TOPIC message that lacks a topic string (CVE-2009-2703).

 

The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the

MSN protocol plugin in libpurple in Pidgin before 2.6.2 allows remote

attackers to cause a denial of service (NULL pointer dereference

and application crash) via an SLP invite message that lacks certain

required fields, as demonstrated by a malformed message from a KMess

client (CVE-2009-3083).

 

The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c

in the MSN protocol plugin in libpurple 2.6.0 and 2.6.1, as used in

Pidgin before 2.6.2, allows remote attackers to cause a denial of

service (application crash) via a handwritten (aka Ink) message,

related to an uninitialized variable and the incorrect UTF16-LE

charset name (CVE-2009-3084).

 

The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does

not properly handle an error IQ stanza during an attempted fetch of

a custom smiley, which allows remote attackers to cause a denial of

service (application crash) via XHTML-IM content with cid: images

(CVE-2009-3085).

 

This update provides pidgin 2.6.2, which is not vulnerable to these

issues.

_______________________________________________________________________

 

References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3025

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3026

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2703

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3083

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3084

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3085

http://pidgin.im/news/security/

_______________________________________________________________________

 

Updated Packages:

 

Mandriva Linux 2009.0:

dd2135de88f01028217b4146dbfdabc0 2009.0/i586/finch-2.6.2-1.1mdv2009.0.i586.rpm

0a62ef0d115db1d059ba8683d8b78543 2009.0/i586/libfinch0-2.6.2-1.1mdv2009.0.i586.rpm

d9138da684311ab0e77748b5d9251324 2009.0/i586/libpurple0-2.6.2-1.1mdv2009.0.i586.rpm

a795ae8b0a6d37dae3cdd5d626a1054b 2009.0/i586/libpurple-devel-2.6.2-1.1mdv2009.0.i586.rpm

e02ee9ac19b50b6313ab7e95955fc7dd 2009.0/i586/pidgin-2.6.2-1.1mdv2009.0.i586.rpm

d9da1b8df1a61a3c6a61fb661d0af935 2009.0/i586/pidgin-bonjour-2.6.2-1.1mdv2009.0.i586.rpm

fa74aa490a4a78a443f78273bd80c129 2009.0/i586/pidgin-client-2.6.2-1.1mdv2009.0.i586.rpm

fba34f0c6056aaeda170fb38bafc50f8 2009.0/i586/pidgin-gevolution-2.6.2-1.1mdv2009.0.i586.rpm

aa062eba94ee8a8857241879f83bb680 2009.0/i586/pidgin-i18n-2.6.2-1.1mdv2009.0.i586.rpm

3583204db49425789559de87f9c20e84 2009.0/i586/pidgin-meanwhile-2.6.2-1.1mdv2009.0.i586.rpm

83e2b09d13dc5880ce3779a659fa6edd 2009.0/i586/pidgin-mono-2.6.2-1.1mdv2009.0.i586.rpm

13115c52a371163466c9f8fb02c3b3f1 2009.0/i586/pidgin-perl-2.6.2-1.1mdv2009.0.i586.rpm

57c8369439d8ac73444f881e47bc7c7b 2009.0/i586/pidgin-plugins-2.6.2-1.1mdv2009.0.i586.rpm

1fe519efa96037e5b95360e6967fa872 2009.0/i586/pidgin-silc-2.6.2-1.1mdv2009.0.i586.rpm

ab47db7786ec117a66317dc91328117c 2009.0/i586/pidgin-tcl-2.6.2-1.1mdv2009.0.i586.rpm

3c72a8f93d85a71a5ec62065c71ac866 2009.0/SRPMS/pidgin-2.6.2-1.1mdv2009.0.src.rpm

 

Mandriva Linux 2009.0/X86_64:

abe40e3b46e70d0f74c5b4195d4a7573 2009.0/x86_64/finch-2.6.2-1.1mdv2009.0.x86_64.rpm

1895ed3c44f5eb3bf08bba3d0d44329a 2009.0/x86_64/lib64finch0-2.6.2-1.1mdv2009.0.x86_64.rpm

16bcdf679539693dea8d115d6f4f57fa 2009.0/x86_64/lib64purple0-2.6.2-1.1mdv2009.0.x86_64.rpm

5359a59e9ddd524f3fe2e61374391e6c 2009.0/x86_64/lib64purple-devel-2.6.2-1.1mdv2009.0.x86_64.rpm

c59fedcacf46d230776c1fa588d2370d 2009.0/x86_64/pidgin-2.6.2-1.1mdv2009.0.x86_64.rpm

e4f7f1dded3d1de9ba3a7cb3251382ab 2009.0/x86_64/pidgin-bonjour-2.6.2-1.1mdv2009.0.x86_64.rpm

9c8326b381dc152f4121ab43104fca70 2009.0/x86_64/pidgin-client-2.6.2-1.1mdv2009.0.x86_64.rpm

c7f718a011414a1c2a30dc3c765fa57f 2009.0/x86_64/pidgin-gevolution-2.6.2-1.1mdv2009.0.x86_64.rpm

5a272130a6b76313263567fa4e4eb405 2009.0/x86_64/pidgin-i18n-2.6.2-1.1mdv2009.0.x86_64.rpm

c7ca5393d5b3c26c7969e1935f0f081f 2009.0/x86_64/pidgin-meanwhile-2.6.2-1.1mdv2009.0.x86_64.rpm

a352742a2c74ab2dee0fe923d8088b09 2009.0/x86_64/pidgin-mono-2.6.2-1.1mdv2009.0.x86_64.rpm

3a7ea7015ba7e4631629a6561969c5f1 2009.0/x86_64/pidgin-perl-2.6.2-1.1mdv2009.0.x86_64.rpm

673250d99488d52ac182234a977270c5 2009.0/x86_64/pidgin-plugins-2.6.2-1.1mdv2009.0.x86_64.rpm

b0b24b820b40b8ae0ea50b861cb24816 2009.0/x86_64/pidgin-silc-2.6.2-1.1mdv2009.0.x86_64.rpm

cde1df5b06fdd9a7f3abdacd519a4ded 2009.0/x86_64/pidgin-tcl-2.6.2-1.1mdv2009.0.x86_64.rpm

3c72a8f93d85a71a5ec62065c71ac866 2009.0/SRPMS/pidgin-2.6.2-1.1mdv2009.0.src.rpm

 

Mandriva Linux 2009.1:

a0dae5ebcc277d8a42dfbbbc273e2e7c 2009.1/i586/finch-2.6.2-1.1mdv2009.1.i586.rpm

3e31c84ecf92b24da7e63fda3e6bc57e 2009.1/i586/libfinch0-2.6.2-1.1mdv2009.1.i586.rpm

6c2e1b9d19fc77f438517512666d8015 2009.1/i586/libpurple0-2.6.2-1.1mdv2009.1.i586.rpm

924014945b93ced26931d96e7872b2ae 2009.1/i586/libpurple-devel-2.6.2-1.1mdv2009.1.i586.rpm

0c78dd3ef63b1e14bc1f881a8c15fecb 2009.1/i586/pidgin-2.6.2-1.1mdv2009.1.i586.rpm

3038bfbd661e5d467dec2c2ac9550b16 2009.1/i586/pidgin-bonjour-2.6.2-1.1mdv2009.1.i586.rpm

ea7a7a8d951f6deb0d68cfc162868a6a 2009.1/i586/pidgin-client-2.6.2-1.1mdv2009.1.i586.rpm

cb312d06aa0365d38e393c7625171e62 2009.1/i586/pidgin-gevolution-2.6.2-1.1mdv2009.1.i586.rpm

c8bfc1d06999ea0db358cbb008e51094 2009.1/i586/pidgin-i18n-2.6.2-1.1mdv2009.1.i586.rpm

b46996777660d0818dc1c3987ab698dc 2009.1/i586/pidgin-meanwhile-2.6.2-1.1mdv2009.1.i586.rpm

c761eb32c26ffd738b2ad3b61f78c011 2009.1/i586/pidgin-mono-2.6.2-1.1mdv2009.1.i586.rpm

aaba734ce1fd0425395132ce28e76c6b 2009.1/i586/pidgin-perl-2.6.2-1.1mdv2009.1.i586.rpm

4b7f6d886dda8a7e89a56e6cd459b888 2009.1/i586/pidgin-plugins-2.6.2-1.1mdv2009.1.i586.rpm

28c71dbe522e6c2315c0092b5c68f6a6 2009.1/i586/pidgin-silc-2.6.2-1.1mdv2009.1.i586.rpm

0aaa2db43643a3f2a471b5d29b89e794 2009.1/i586/pidgin-tcl-2.6.2-1.1mdv2009.1.i586.rpm

3607769d564d6cead9e66ddc97e90c26 2009.1/SRPMS/pidgin-2.6.2-1.1mdv2009.1.src.rpm

 

Mandriva Linux 2009.1/X86_64:

5996a662fd63ef72540432b9e723e376 2009.1/x86_64/finch-2.6.2-1.1mdv2009.1.x86_64.rpm

5daefd3daff1323ae6befca7ffeccf6d 2009.1/x86_64/lib64finch0-2.6.2-1.1mdv2009.1.x86_64.rpm

29c6cff6af5047f1c1e8c0e9cab1b343 2009.1/x86_64/lib64purple0-2.6.2-1.1mdv2009.1.x86_64.rpm

129363e98df30501bb591131f3b71974 2009.1/x86_64/lib64purple-devel-2.6.2-1.1mdv2009.1.x86_64.rpm

1dca4950a84ee467a1db32e33c272493 2009.1/x86_64/pidgin-2.6.2-1.1mdv2009.1.x86_64.rpm

efc25c6b71ae970de073641feed3d222 2009.1/x86_64/pidgin-bonjour-2.6.2-1.1mdv2009.1.x86_64.rpm

f57802d311e6676c359db58ce4f6c898 2009.1/x86_64/pidgin-client-2.6.2-1.1mdv2009.1.x86_64.rpm

3673312d1746554834679c0dd66f900a 2009.1/x86_64/pidgin-gevolution-2.6.2-1.1mdv2009.1.x86_64.rpm

6b4edbc3cbd95c4b73f199ec3dd07544 2009.1/x86_64/pidgin-i18n-2.6.2-1.1mdv2009.1.x86_64.rpm

07ddc3ebd9baa319fa42327ace7a51c1 2009.1/x86_64/pidgin-meanwhile-2.6.2-1.1mdv2009.1.x86_64.rpm

d3c41c1ef9cd7baa9febd7d073ef09a4 2009.1/x86_64/pidgin-mono-2.6.2-1.1mdv2009.1.x86_64.rpm

6ce2b600ff76999460c7e8ed7ef81904 2009.1/x86_64/pidgin-perl-2.6.2-1.1mdv2009.1.x86_64.rpm

d8be6a2e6bbba229edd7d7abcbf2ef76 2009.1/x86_64/pidgin-plugins-2.6.2-1.1mdv2009.1.x86_64.rpm

7ae3fdc1561a478052e2a3fe65488966 2009.1/x86_64/pidgin-silc-2.6.2-1.1mdv2009.1.x86_64.rpm

308d2a35011d9093973b393199de7393 2009.1/x86_64/pidgin-tcl-2.6.2-1.1mdv2009.1.x86_64.rpm

3607769d564d6cead9e66ddc97e90c26 2009.1/SRPMS/pidgin-2.6.2-1.1mdv2009.1.src.rpm

 

Mandriva Enterprise Server 5:

6a1a28fb7bb3037ae1528e792417300b mes5/i586/finch-2.6.2-1.1mdvmes5.i586.rpm

7f56781f36c71c0839741b728586ef85 mes5/i586/libfinch0-2.6.2-1.1mdvmes5.i586.rpm

f45ee50ed79e8101375a9236f937d658 mes5/i586/libpurple0-2.6.2-1.1mdvmes5.i586.rpm

b0455640d7149d9ad025ae42fce61b72 mes5/i586/libpurple-devel-2.6.2-1.1mdvmes5.i586.rpm

487fa34cda5ebd172673c4232a3009d3 mes5/i586/pidgin-2.6.2-1.1mdvmes5.i586.rpm

38220a322dc8b3fc2a264fb2bae2e54f mes5/i586/pidgin-bonjour-2.6.2-1.1mdvmes5.i586.rpm

9a6d4add9297029d774a3f4483be769f mes5/i586/pidgin-client-2.6.2-1.1mdvmes5.i586.rpm

5b4b62dd8555dc4b43d475c5dc04ff37 mes5/i586/pidgin-gevolution-2.6.2-1.1mdvmes5.i586.rpm

adb1072ce88c0a95afb2a41b07471f69 mes5/i586/pidgin-i18n-2.6.2-1.1mdvmes5.i586.rpm

3f2d24e39f650e1ce198b3555881d52f mes5/i586/pidgin-meanwhile-2.6.2-1.1mdvmes5.i586.rpm

70cc2085acb78b0a75df07c8d44122a6 mes5/i586/pidgin-mono-2.6.2-1.1mdvmes5.i586.rpm

2fc80c8e5d350ea77dbaf3bf53e738c9 mes5/i586/pidgin-perl-2.6.2-1.1mdvmes5.i586.rpm

9bb6bb95f035abec1d8db99fb7a95a94 mes5/i586/pidgin-plugins-2.6.2-1.1mdvmes5.i586.rpm

0e8e10245b3b2b2793e9830ebad65c9f mes5/i586/pidgin-silc-2.6.2-1.1mdvmes5.i586.rpm

87005bd59df0e60db09773f5ad51c65c mes5/i586/pidgin-tcl-2.6.2-1.1mdvmes5.i586.rpm

c5ba16d383624512a2accea0e49127e1 mes5/SRPMS/pidgin-2.6.2-1.1mdvmes5.src.rpm

 

Mandriva Enterprise Server 5/X86_64:

48559a9fbd602829a9018da470c737b7 mes5/x86_64/finch-2.6.2-1.1mdvmes5.x86_64.rpm

efc52b721d74bd54957d8381160930ae mes5/x86_64/lib64finch0-2.6.2-1.1mdvmes5.x86_64.rpm

cfa40992e6268de48742d863937a3ce5 mes5/x86_64/lib64purple0-2.6.2-1.1mdvmes5.x86_64.rpm

551c32363db750e426e3ba6aa482aa1b mes5/x86_64/lib64purple-devel-2.6.2-1.1mdvmes5.x86_64.rpm

f772d231fa7f5bfa83d7448b977ac9e4 mes5/x86_64/pidgin-2.6.2-1.1mdvmes5.x86_64.rpm

5e36d866ed4aead171f62b0ff52f86de mes5/x86_64/pidgin-bonjour-2.6.2-1.1mdvmes5.x86_64.rpm

8e93da5c587e1fc463c23a1e202c506f mes5/x86_64/pidgin-client-2.6.2-1.1mdvmes5.x86_64.rpm

35a37384b53cb597b796ce269b947c0c mes5/x86_64/pidgin-gevolution-2.6.2-1.1mdvmes5.x86_64.rpm

6d8a79d2da3c94034e9db65464304cba mes5/x86_64/pidgin-i18n-2.6.2-1.1mdvmes5.x86_64.rpm

be05186873330aca1a05143c7380b5e1 mes5/x86_64/pidgin-meanwhile-2.6.2-1.1mdvmes5.x86_64.rpm

669c51511f0c04f40779dd73e0c9f50d mes5/x86_64/pidgin-mono-2.6.2-1.1mdvmes5.x86_64.rpm

79bd83d747fa3e48d2ce18e8e5abb588 mes5/x86_64/pidgin-perl-2.6.2-1.1mdvmes5.x86_64.rpm

48eb4e61676abc78e769a0f660148814 mes5/x86_64/pidgin-plugins-2.6.2-1.1mdvmes5.x86_64.rpm

6c37ac6cbf4e83b8a4e09bfc62776d73 mes5/x86_64/pidgin-silc-2.6.2-1.1mdvmes5.x86_64.rpm

47262f2e661db28512c40710d9a59113 mes5/x86_64/pidgin-tcl-2.6.2-1.1mdvmes5.x86_64.rpm

c5ba16d383624512a2accea0e49127e1 mes5/SRPMS/pidgin-2.6.2-1.1mdvmes5.src.rpm

_______________________________________________________________________

 

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

 

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

 

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 

You can view other update advisories for Mandriva Linux at:

 

http://www.mandriva.com/security/advisories

 

If you want to report vulnerabilities, please contact

 

security_(at)_mandriva.com

_______________________________________________________________________

 

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

 

iD8DBQFKqkbImqjQ0CJFipgRAmItAKDwmkCL6bbeJfrQn7f0X8X1kUsE/gCeJQLu

eZC/xky0aMktS6+I56SNZh0=

=rl3L

-----END PGP SIGNATURE-----

 

 

------------=_1252684653-13155-1481

Content-Type: text/plain; name="message-footer.txt"

Content-Disposition: inline; filename="message-footer.txt"

Content-Transfer-Encoding: 8bit

 

To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://www.mandrivastore.com

Join the Club : http://www.mandrivaclub.com

_______________________________________________________

 

------------=_1252684653-13155-1481--

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×