[Full-disclosure] [ MDVSA-2009:025 ] pidgin




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:025
http://www.mandriva.com/security/
_______________________________________________________________________

Package : pidgin
Date : January 22, 2009
Affected: 2008.1
_______________________________________________________________________

Problem Description:

The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL
certificates, which makes it easier for remote attackers to trick
a user into accepting an invalid server certificate for a spoofed
service. (CVE-2008-3532)

Pidgin 2.4.1 allows remote attackers to cause a denial of service
(crash) via a long filename that contains certain characters, as
demonstrated using an MSN message that triggers the crash in the
msn_slplink_process_msg function. (CVE-2008-2955)

The UPnP functionality in Pidgin 2.0.0, and possibly other versions,
allows remote attackers to trigger the download of arbitrary files
and cause a denial of service (memory or disk consumption) via a UDP
packet that specifies an arbitrary URL. (CVE-2008-2957)

The updated packages have been patched to fix these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.1:
8d986cf90ce366f40da1ed22f99227e2 2008.1/i586/finch-2.4.1-2.3mdv2008.1.i586.rpm
1591abeaedbde92f9e851fc163ecbc14 2008.1/i586/libfinch0-2.4.1-2.3mdv2008.1.i586.rpm
81b2f07e1a3e82683dd761e913630ae8 2008.1/i586/libpurple0-2.4.1-2.3mdv2008.1.i586.rpm
bc958e4178ea9037b2faef5e46fdc367 2008.1/i586/libpurple-devel-2.4.1-2.3mdv2008.1.i586.rpm
9ad56f8214068aa578c74de4476b6a21 2008.1/i586/pidgin-2.4.1-2.3mdv2008.1.i586.rpm
97e7beb6d69c8cd48427845537cd7092 2008.1/i586/pidgin-bonjour-2.4.1-2.3mdv2008.1.i586.rpm
4bc7839dba2efbe27fb814be39c0e2d3 2008.1/i586/pidgin-client-2.4.1-2.3mdv2008.1.i586.rpm
551a0888b40c5b234f14d9814a9249d2 2008.1/i586/pidgin-gevolution-2.4.1-2.3mdv2008.1.i586.rpm
86ccded472fa0974e1a28be7d559ff4a 2008.1/i586/pidgin-i18n-2.4.1-2.3mdv2008.1.i586.rpm
37869e45dee88264c183faf4f4ad5140 2008.1/i586/pidgin-meanwhile-2.4.1-2.3mdv2008.1.i586.rpm
0c424324da44beb62b61243106fc3599 2008.1/i586/pidgin-mono-2.4.1-2.3mdv2008.1.i586.rpm
c61e9c1cd651abcc805970df7dcae18a 2008.1/i586/pidgin-perl-2.4.1-2.3mdv2008.1.i586.rpm
fbc16077149cff9111bda6ada529ef5f 2008.1/i586/pidgin-silc-2.4.1-2.3mdv2008.1.i586.rpm
f97215d6643336a155e298a404386d7e 2008.1/i586/pidgin-tcl-2.4.1-2.3mdv2008.1.i586.rpm
a7816e51fd0c35798accad228aa67be9 2008.1/SRPMS/pidgin-2.4.1-2.3mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64:
63ba74e6aeae1f940cdd4b5d6af3128b 2008.1/x86_64/finch-2.4.1-2.3mdv2008.1.x86_64.rpm
c9cbed1c7267fd449e6c26ad8454e438 2008.1/x86_64/lib64finch0-2.4.1-2.3mdv2008.1.x86_64.rpm
739eeb3e632023f89acd9e4baf826590 2008.1/x86_64/lib64purple0-2.4.1-2.3mdv2008.1.x86_64.rpm
e63ce782ee2e8b9e157fa85ccd7f4511 2008.1/x86_64/lib64purple-devel-2.4.1-2.3mdv2008.1.x86_64.rpm
e80d06d3e544b29f406c291a23b005b8 2008.1/x86_64/pidgin-2.4.1-2.3mdv2008.1.x86_64.rpm
5aa3f2383fd83b025efa28bf9b6d817d 2008.1/x86_64/pidgin-bonjour-2.4.1-2.3mdv2008.1.x86_64.rpm
cea0458cbf8fb2e16131e33a7f1e2587 2008.1/x86_64/pidgin-client-2.4.1-2.3mdv2008.1.x86_64.rpm
54327daad8ed2658fe9c9bbe8482f388 2008.1/x86_64/pidgin-gevolution-2.4.1-2.3mdv2008.1.x86_64.rpm
08d375b245f16b41077e6e9baf82c6df 2008.1/x86_64/pidgin-i18n-2.4.1-2.3mdv2008.1.x86_64.rpm
536edfbb015f173dcc09a7c4481b20cd 2008.1/x86_64/pidgin-meanwhile-2.4.1-2.3mdv2008.1.x86_64.rpm
6747c3d56d317d3733bea26a2d18fe9a 2008.1/x86_64/pidgin-mono-2.4.1-2.3mdv2008.1.x86_64.rpm
ae3767379a0ccbcc577d8521fbed8432 2008.1/x86_64/pidgin-perl-2.4.1-2.3mdv2008.1.x86_64.rpm
5e8b1bfd757e596536e0c0fa8f680aea 2008.1/x86_64/pidgin-silc-2.4.1-2.3mdv2008.1.x86_64.rpm
9b2f9b0732f14981423f57454e68b3b1 2008.1/x86_64/pidgin-tcl-2.4.1-2.3mdv2008.1.x86_64.rpm
a7816e51fd0c35798accad228aa67be9 2008.1/SRPMS/pidgin-2.4.1-2.3mdv2008.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJeOvHmqjQ0CJFipgRAraEAJ98EF/sllsypuWtjUk/7wUDNstJPACg85S/
MdDiL87nCpghlEbABOrCLmk=
=wRcj
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages