[Full-disclosure] [ MDVSA-2009:147 ] pidgin




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:147
http://www.mandriva.com/security/
_______________________________________________________________________

Package : pidgin
Date : June 30, 2009
Affected: 2009.0, 2009.1
_______________________________________________________________________

Problem Description:

Security vulnerabilities has been identified and fixed in pidgin:

Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin
(formerly Gaim) before 2.5.6 allows remote authenticated users to
execute arbitrary code via vectors involving an outbound XMPP file
transfer. NOTE: some of these details are obtained from third party
information (CVE-2009-1373).

Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim)
before 2.5.6 allows remote attackers to cause a denial of service
(application crash) via a QQ packet (CVE-2009-1374).

The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before
2.5.6 does not properly maintain a certain buffer, which allows
remote attackers to cause a denial of service (memory corruption
and application crash) via vectors involving the (1) XMPP or (2)
Sametime protocol (CVE-2009-1375).

Multiple integer overflows in the msn_slplink_process_msg functions in
the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and
(2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim)
before 2.5.6 on 32-bit platforms allow remote attackers to execute
arbitrary code via a malformed SLP message with a crafted offset
value, leading to buffer overflows. NOTE: this issue exists because
of an incomplete fix for CVE-2008-2927 (CVE-2009-1376).

This update provides pidgin 2.5.8, which is not vulnerable to these
issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376
http://pidgin.im/news/security/
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2009.0:
0b9c5812047b6913b62d962d6b2e23ce 2009.0/i586/finch-2.5.8-0.2mdv2009.0.i586.rpm
2e163af32cb31fcbadb823def93ed7f8 2009.0/i586/libfinch0-2.5.8-0.2mdv2009.0.i586.rpm
8ac2c52ffdab796e3dad1d38733064ff 2009.0/i586/libpurple0-2.5.8-0.2mdv2009.0.i586.rpm
f0db58c858207f9560548d949b48d261 2009.0/i586/libpurple-devel-2.5.8-0.2mdv2009.0.i586.rpm
5169c7ebe58ae7180849d7ed517121c8 2009.0/i586/pidgin-2.5.8-0.2mdv2009.0.i586.rpm
4d13d3689764970fa898c1fad1cc5764 2009.0/i586/pidgin-bonjour-2.5.8-0.2mdv2009.0.i586.rpm
a1830c84222ffc88855d8eb92c859641 2009.0/i586/pidgin-client-2.5.8-0.2mdv2009.0.i586.rpm
bf2b1e97c096cc0448d808a4a88b3f3e 2009.0/i586/pidgin-gevolution-2.5.8-0.2mdv2009.0.i586.rpm
f7fc2376cacab7d26ae56ee6b64349a0 2009.0/i586/pidgin-i18n-2.5.8-0.2mdv2009.0.i586.rpm
edaa8098fc045f2d62eb34520a15dc3f 2009.0/i586/pidgin-meanwhile-2.5.8-0.2mdv2009.0.i586.rpm
11ffe25c191b1e3e9960ed082390f7c4 2009.0/i586/pidgin-mono-2.5.8-0.2mdv2009.0.i586.rpm
7c52bfd76a126296d01db5f91070697e 2009.0/i586/pidgin-perl-2.5.8-0.2mdv2009.0.i586.rpm
f1a0e77257376b4ae76d3860798a1f48 2009.0/i586/pidgin-plugins-2.5.8-0.2mdv2009.0.i586.rpm
d9d098ba185b307bd6a1841e34b6f34f 2009.0/i586/pidgin-silc-2.5.8-0.2mdv2009.0.i586.rpm
85e866aa7309873647ee6dbd8e25f19b 2009.0/i586/pidgin-tcl-2.5.8-0.2mdv2009.0.i586.rpm
f58c790083e6cbe2e18ca162368b8222 2009.0/SRPMS/pidgin-2.5.8-0.2mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64:
1261bbf57c000e72386cc2527b5dc36f 2009.0/x86_64/finch-2.5.8-0.2mdv2009.0.x86_64.rpm
a8e36217c7bb9382fec36b3678d7f22a 2009.0/x86_64/lib64finch0-2.5.8-0.2mdv2009.0.x86_64.rpm
cc68a1500a192bcd1e1e74b01bfa88f6 2009.0/x86_64/lib64purple0-2.5.8-0.2mdv2009.0.x86_64.rpm
b023996495bfccbcc42546ee50d86cb8 2009.0/x86_64/lib64purple-devel-2.5.8-0.2mdv2009.0.x86_64.rpm
483d34d8c6dbd627c8f42ca7026c4891 2009.0/x86_64/pidgin-2.5.8-0.2mdv2009.0.x86_64.rpm
dd297e049a355c5a577fd6ff05fa8e1a 2009.0/x86_64/pidgin-bonjour-2.5.8-0.2mdv2009.0.x86_64.rpm
99552bd5cdc82dbcc654fce15f61d092 2009.0/x86_64/pidgin-client-2.5.8-0.2mdv2009.0.x86_64.rpm
b18bb378d4113d39cfd7f688b1d7d0e4 2009.0/x86_64/pidgin-gevolution-2.5.8-0.2mdv2009.0.x86_64.rpm
ddffc838f823bd823da1f9590ec70b92 2009.0/x86_64/pidgin-i18n-2.5.8-0.2mdv2009.0.x86_64.rpm
a5144eb447ec121820eae2d95429634a 2009.0/x86_64/pidgin-meanwhile-2.5.8-0.2mdv2009.0.x86_64.rpm
864a95349dc2f85f41d337f35f7e22d0 2009.0/x86_64/pidgin-mono-2.5.8-0.2mdv2009.0.x86_64.rpm
40117254cd1226cd29e233c48de1b6e2 2009.0/x86_64/pidgin-perl-2.5.8-0.2mdv2009.0.x86_64.rpm
45e24144e272a726ece9206bf2d7ca37 2009.0/x86_64/pidgin-plugins-2.5.8-0.2mdv2009.0.x86_64.rpm
7966dacf3a120cb25d463ae6cc96da66 2009.0/x86_64/pidgin-silc-2.5.8-0.2mdv2009.0.x86_64.rpm
c2f86df2348c18f6f88f0f044fc0858c 2009.0/x86_64/pidgin-tcl-2.5.8-0.2mdv2009.0.x86_64.rpm
f58c790083e6cbe2e18ca162368b8222 2009.0/SRPMS/pidgin-2.5.8-0.2mdv2009.0.src.rpm

Mandriva Linux 2009.1:
f67e4c3f8d66c7f41d138a0786bf002b 2009.1/i586/finch-2.5.8-0.2mdv2009.1.i586.rpm
a1458b3a10086562af8588b14a6e7648 2009.1/i586/libfinch0-2.5.8-0.2mdv2009.1.i586.rpm
9369bcf4e812f4085f0db10301f052ad 2009.1/i586/libpurple0-2.5.8-0.2mdv2009.1.i586.rpm
92f4b3e3fc1380dccbbc5b1d34cc3893 2009.1/i586/libpurple-devel-2.5.8-0.2mdv2009.1.i586.rpm
2146bd6f5200d0f92678481f4a570f14 2009.1/i586/pidgin-2.5.8-0.2mdv2009.1.i586.rpm
cfcd5d1fa2d5526c28fc63ac458ef0ef 2009.1/i586/pidgin-bonjour-2.5.8-0.2mdv2009.1.i586.rpm
6e3afaf1f4838268abef2ce4d285ff9f 2009.1/i586/pidgin-client-2.5.8-0.2mdv2009.1.i586.rpm
de326d636c98402ffdc1ee1e2e0daa4b 2009.1/i586/pidgin-gevolution-2.5.8-0.2mdv2009.1.i586.rpm
e7b3ff08b89ae7d3bd3ac06edbda2e34 2009.1/i586/pidgin-i18n-2.5.8-0.2mdv2009.1.i586.rpm
18991a44ed768591999de24430f0243b 2009.1/i586/pidgin-meanwhile-2.5.8-0.2mdv2009.1.i586.rpm
1cdd6f5ef69508e38354e24dea17e1a9 2009.1/i586/pidgin-mono-2.5.8-0.2mdv2009.1.i586.rpm
35188862c9641d841e85f5b22dad7449 2009.1/i586/pidgin-perl-2.5.8-0.2mdv2009.1.i586.rpm
7d4e325b6008d26458291e7b7951eaec 2009.1/i586/pidgin-plugins-2.5.8-0.2mdv2009.1.i586.rpm
e6c6d611f2f3085920a2715b6f1d01d8 2009.1/i586/pidgin-silc-2.5.8-0.2mdv2009.1.i586.rpm
0cadc9118ed484b073560423be0feaf4 2009.1/i586/pidgin-tcl-2.5.8-0.2mdv2009.1.i586.rpm
ebb50e4b0a97cc460e2d8486f3c01eed 2009.1/SRPMS/pidgin-2.5.8-0.2mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
d1b2d58b4e4c931e45c331b888ef1084 2009.1/x86_64/finch-2.5.8-0.2mdv2009.1.x86_64.rpm
57cc9ff2f0f54697c2490fbd8726b181 2009.1/x86_64/lib64finch0-2.5.8-0.2mdv2009.1.x86_64.rpm
7606985a068954fca5d16d7333ff2222 2009.1/x86_64/lib64purple0-2.5.8-0.2mdv2009.1.x86_64.rpm
6114731e237d3e5c066edc6a5a40290e 2009.1/x86_64/lib64purple-devel-2.5.8-0.2mdv2009.1.x86_64.rpm
66c33bfa51bdc6a125c776f76486f29e 2009.1/x86_64/pidgin-2.5.8-0.2mdv2009.1.x86_64.rpm
fc0d59febb37fd8422a57dd759130bb8 2009.1/x86_64/pidgin-bonjour-2.5.8-0.2mdv2009.1.x86_64.rpm
d781057e99674e435243a6fc1ccd9c50 2009.1/x86_64/pidgin-client-2.5.8-0.2mdv2009.1.x86_64.rpm
0ce092cc85f8024e33361f488ff5f617 2009.1/x86_64/pidgin-gevolution-2.5.8-0.2mdv2009.1.x86_64.rpm
0db0e946667615e20c3ce2aae0c8c840 2009.1/x86_64/pidgin-i18n-2.5.8-0.2mdv2009.1.x86_64.rpm
8ac630cc5228aabd7c64ebad0708dfbc 2009.1/x86_64/pidgin-meanwhile-2.5.8-0.2mdv2009.1.x86_64.rpm
71843c7958e5e037137ac62f52ec59a8 2009.1/x86_64/pidgin-mono-2.5.8-0.2mdv2009.1.x86_64.rpm
2b3a2fccde7218a226f07497ab18acda 2009.1/x86_64/pidgin-perl-2.5.8-0.2mdv2009.1.x86_64.rpm
6c13aed8b7090e0ce146b64fe479e822 2009.1/x86_64/pidgin-plugins-2.5.8-0.2mdv2009.1.x86_64.rpm
81ffeb84eea5f93f0e94e7035c858107 2009.1/x86_64/pidgin-silc-2.5.8-0.2mdv2009.1.x86_64.rpm
93ef210add576d311aa2a033cef3c77c 2009.1/x86_64/pidgin-tcl-2.5.8-0.2mdv2009.1.x86_64.rpm
ebb50e4b0a97cc460e2d8486f3c01eed 2009.1/SRPMS/pidgin-2.5.8-0.2mdv2009.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKSkfAmqjQ0CJFipgRAjXiAJ0e+atKRUTzOr6SQ+DgOHwOvk02qgCeMPFg
+H4DlSU9YzPLzeKFhKFdE94=
=uRxq
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [ MDVSA-2009:147 ] pidgin
    ... Security vulnerabilities has been identified and fixed in pidgin: ... Buffer overflow in the decrypt_out function in Pidgin ... Mandriva Linux 2009.0/X86_64: ... All packages are signed by Mandriva for security. ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2010:041 ] pidgin
    ... Package: pidgin ... Packages for 2008.0 are provided for Corporate Desktop 2008.0 ... Mandriva Linux 2008.0/X86_64: ... All packages are signed by Mandriva for security. ...
    (Full-Disclosure)
  • [ MDVSA-2010:041 ] pidgin
    ... Package: pidgin ... Packages for 2008.0 are provided for Corporate Desktop 2008.0 ... Mandriva Linux 2008.0/X86_64: ... All packages are signed by Mandriva for security. ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2011:132-1 ] pidgin
    ... Multiple vulnerabilities has been identified and fixed in pidgin: ... Packages for Mandriva Linux 2011 is now being provided as well. ...
    (Full-Disclosure)
  • [ MDVSA-2011:132-1 ] pidgin
    ... Multiple vulnerabilities has been identified and fixed in pidgin: ... Packages for Mandriva Linux 2011 is now being provided as well. ...
    (Bugtraq)