[Full-disclosure] [ MDVSA-2012:029 ] pidgin



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2012:029
http://www.mandriva.com/security/
_______________________________________________________________________

Package : pidgin
Date : March 16, 2012
Affected: 2011., Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in pidgin:

The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin
before 2.10.2 allows remote attackers to cause a denial of service
(NULL pointer dereference and application crash) by changing a nickname
while in an XMPP chat room (CVE-2011-4939).

The msn_oim_report_to_user function in oim.c in the MSN protocol
plugin in libpurple in Pidgin before 2.10.2 allows remote servers to
cause a denial of service (application crash) via an OIM message that
lacks UTF-8 encoding (CVE-2012-1178).

This update provides pidgin 2.10.2, which is not vulnerable to
these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1178
http://www.pidgin.im/news/security/
http://pidgin.im/news/security/?id=60
http://pidgin.im/news/security/?id=61
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2011:
d43d0101f88ab54df4721b49bbfcbd47 2011/i586/finch-2.10.2-0.1-mdv2011.0.i586.rpm
0cb536b1fb989b8706240a58ca01eb1c 2011/i586/libfinch0-2.10.2-0.1-mdv2011.0.i586.rpm
10a39a3b20735cebdd268e8c94c66811 2011/i586/libpurple0-2.10.2-0.1-mdv2011.0.i586.rpm
046ac86afa986a1e7dd7bae15a2e03c0 2011/i586/libpurple-devel-2.10.2-0.1-mdv2011.0.i586.rpm
382300ecec41008daa5d31a875795fc8 2011/i586/pidgin-2.10.2-0.1-mdv2011.0.i586.rpm
950290cc8a4a0788458d92f457aaab1e 2011/i586/pidgin-bonjour-2.10.2-0.1-mdv2011.0.i586.rpm
b1d60f79d998fcbdd3cc00e03658a1c1 2011/i586/pidgin-client-2.10.2-0.1-mdv2011.0.i586.rpm
ecd78ce4555ae2d022523c87c55454a4 2011/i586/pidgin-gevolution-2.10.2-0.1-mdv2011.0.i586.rpm
ccc331d78938f4cc7e648cc7459444e4 2011/i586/pidgin-i18n-2.10.2-0.1-mdv2011.0.i586.rpm
da7eae1f1bf161b87ea30cb3811486a6 2011/i586/pidgin-meanwhile-2.10.2-0.1-mdv2011.0.i586.rpm
068f7a6d905007052fc5b3b80cec7c2f 2011/i586/pidgin-perl-2.10.2-0.1-mdv2011.0.i586.rpm
abe2d9f54fd720cc5fe0b814f0676d75 2011/i586/pidgin-plugins-2.10.2-0.1-mdv2011.0.i586.rpm
2aaef5a16d0da257e615a5a43f5cecfe 2011/i586/pidgin-silc-2.10.2-0.1-mdv2011.0.i586.rpm
72e4b2d2fdc011993bd85c58deaa75c7 2011/i586/pidgin-tcl-2.10.2-0.1-mdv2011.0.i586.rpm
fb74b14c9e4d5bc8d1e0713e0e91d788 2011/SRPMS/pidgin-2.10.2-0.1.src.rpm

Mandriva Linux 2011/X86_64:
9a4bf7e801d1a9cad6466e94b4be3fd0 2011/x86_64/finch-2.10.2-0.1-mdv2011.0.x86_64.rpm
cc101bd802e81b630e18053a762ef57b 2011/x86_64/lib64finch0-2.10.2-0.1-mdv2011.0.x86_64.rpm
753668f3396efa4269f01a31a72761bb 2011/x86_64/lib64purple0-2.10.2-0.1-mdv2011.0.x86_64.rpm
54c16e684f7e237973bc8a4a75671997 2011/x86_64/lib64purple-devel-2.10.2-0.1-mdv2011.0.x86_64.rpm
c67c0bdd52aa429529f8911ac84f60d3 2011/x86_64/pidgin-2.10.2-0.1-mdv2011.0.x86_64.rpm
ee7d7717c71119cce8f3bba710a15406 2011/x86_64/pidgin-bonjour-2.10.2-0.1-mdv2011.0.x86_64.rpm
7f84358dabcc9578beabe1d9a2d8c6d9 2011/x86_64/pidgin-client-2.10.2-0.1-mdv2011.0.x86_64.rpm
b3f464a55d023e09101faa975aa279f6 2011/x86_64/pidgin-gevolution-2.10.2-0.1-mdv2011.0.x86_64.rpm
ca70e67fc54f0abb959b7e5b32a17ae5 2011/x86_64/pidgin-i18n-2.10.2-0.1-mdv2011.0.x86_64.rpm
3ec278a284fa7e9e8c108dde9237c84a 2011/x86_64/pidgin-meanwhile-2.10.2-0.1-mdv2011.0.x86_64.rpm
2160d440723ccd0146fdf73d080d9487 2011/x86_64/pidgin-perl-2.10.2-0.1-mdv2011.0.x86_64.rpm
0da3d45908d0ff4f56d9257603a9b05d 2011/x86_64/pidgin-plugins-2.10.2-0.1-mdv2011.0.x86_64.rpm
11461747aed93ec09971c3aaddc2a1dc 2011/x86_64/pidgin-silc-2.10.2-0.1-mdv2011.0.x86_64.rpm
4f0f6e4a042ba2de61d36f0b7a5e6ee8 2011/x86_64/pidgin-tcl-2.10.2-0.1-mdv2011.0.x86_64.rpm
fb74b14c9e4d5bc8d1e0713e0e91d788 2011/SRPMS/pidgin-2.10.2-0.1.src.rpm

Mandriva Enterprise Server 5:
98176bf2dc43db51bda56e352a932a31 mes5/i586/finch-2.10.2-0.1mdvmes5.2.i586.rpm
3a3968095ec2913ae4804e402185973e mes5/i586/libfinch0-2.10.2-0.1mdvmes5.2.i586.rpm
afde08c26b239b655ca572e36e130225 mes5/i586/libpurple0-2.10.2-0.1mdvmes5.2.i586.rpm
e1962de89b05b7030980b67eb8468112 mes5/i586/libpurple-devel-2.10.2-0.1mdvmes5.2.i586.rpm
b86d63e64d1e7f6088f814e7ed7f750b mes5/i586/pidgin-2.10.2-0.1mdvmes5.2.i586.rpm
71858e3b063eb3069fb1f26b57842572 mes5/i586/pidgin-bonjour-2.10.2-0.1mdvmes5.2.i586.rpm
9adf07b928e291b16009cd20a2948dca mes5/i586/pidgin-client-2.10.2-0.1mdvmes5.2.i586.rpm
c3f899d615f11a811da7b42e313b5727 mes5/i586/pidgin-gevolution-2.10.2-0.1mdvmes5.2.i586.rpm
6d7840859c24f27bf365afd9985c248c mes5/i586/pidgin-i18n-2.10.2-0.1mdvmes5.2.i586.rpm
fcab90775cd1e9502f859503820838ff mes5/i586/pidgin-meanwhile-2.10.2-0.1mdvmes5.2.i586.rpm
c22fd1876ba641fa62c6f9b45cb5a761 mes5/i586/pidgin-perl-2.10.2-0.1mdvmes5.2.i586.rpm
e6e5fd2457eaf4761caf82520a6b97e2 mes5/i586/pidgin-plugins-2.10.2-0.1mdvmes5.2.i586.rpm
cac016b838884059b56d96b221e019f1 mes5/i586/pidgin-silc-2.10.2-0.1mdvmes5.2.i586.rpm
1c7900f6d723b5f7dbf3043dc72fc06b mes5/i586/pidgin-tcl-2.10.2-0.1mdvmes5.2.i586.rpm
5d7d088675ef2278ecd8abaecce60ea2 mes5/SRPMS/pidgin-2.10.2-0.1mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
386eea89cf9212b8c39bf7c35f17aba4 mes5/x86_64/finch-2.10.2-0.1mdvmes5.2.x86_64.rpm
72a3e88110705a28bfdaa2a983ffda93 mes5/x86_64/lib64finch0-2.10.2-0.1mdvmes5.2.x86_64.rpm
a80684b67e6873757895b8f19ffd0b58 mes5/x86_64/lib64purple0-2.10.2-0.1mdvmes5.2.x86_64.rpm
df45736b7a7f6874545ac0e21c8ab654 mes5/x86_64/lib64purple-devel-2.10.2-0.1mdvmes5.2.x86_64.rpm
48c2332c458fc7eb09c09e3b9aa489fa mes5/x86_64/pidgin-2.10.2-0.1mdvmes5.2.x86_64.rpm
55f50f19e45c40201221c4fc974a1bcc mes5/x86_64/pidgin-bonjour-2.10.2-0.1mdvmes5.2.x86_64.rpm
a2ef0a13cdf19b49bfb255128618c451 mes5/x86_64/pidgin-client-2.10.2-0.1mdvmes5.2.x86_64.rpm
81938c1e9ded10b9529f2bfc481bfa3c mes5/x86_64/pidgin-gevolution-2.10.2-0.1mdvmes5.2.x86_64.rpm
bbce183143e426c03a91e58e49880c24 mes5/x86_64/pidgin-i18n-2.10.2-0.1mdvmes5.2.x86_64.rpm
0899857f03f5ea37a27f55d8cf5dcc05 mes5/x86_64/pidgin-meanwhile-2.10.2-0.1mdvmes5.2.x86_64.rpm
962492864ecd5dd982761ce511de10aa mes5/x86_64/pidgin-perl-2.10.2-0.1mdvmes5.2.x86_64.rpm
47d1c889595cb334cf4259c909c04c66 mes5/x86_64/pidgin-plugins-2.10.2-0.1mdvmes5.2.x86_64.rpm
f47e860c64fa593d1e2ee45631b36e04 mes5/x86_64/pidgin-silc-2.10.2-0.1mdvmes5.2.x86_64.rpm
cd28db4b2d38e3ccc760572b3cb5fcb3 mes5/x86_64/pidgin-tcl-2.10.2-0.1mdvmes5.2.x86_64.rpm
5d7d088675ef2278ecd8abaecce60ea2 mes5/SRPMS/pidgin-2.10.2-0.1mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPYvMjmqjQ0CJFipgRAvgOAJ0XpDNHUxenK3wPbl1HnGsbboIS1ACgyTMA
+23QTOHoHQuUnBhtXSsUYCg=
=HVjt
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [Full-disclosure] [ MDVSA-2013:203 ] phpmyadmin
    ... Package: phpmyadmin ... Business Server 1.0, Enterprise Server 5.0 ... XSS vulnerabilities in setup, chart display, process list, and ... Mandriva Enterprise Server 5/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2013:203 ] phpmyadmin
    ... Package: phpmyadmin ... Business Server 1.0, Enterprise Server 5.0 ... XSS vulnerabilities in setup, chart display, process list, and ... Mandriva Enterprise Server 5/X86_64: ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2009:234-1 ] silc-toolkit
    ... Affected: Enterprise Server 5.0 ... Multiple format string vulnerabilities in lib/silcclient/client_entry.c ... Mandriva Enterprise Server 5/X86_64: ...
    (Full-Disclosure)
  • [ MDVSA-2009:234-1 ] silc-toolkit
    ... Affected: Enterprise Server 5.0 ... Multiple format string vulnerabilities in lib/silcclient/client_entry.c ... Mandriva Enterprise Server 5/X86_64: ...
    (Bugtraq)
  • [ MDVSA-2013:025 ] pidgin
    ... Affected: Enterprise Server 5.0 ... Multiple vulnerabilities has been discovered and corrected in pidgin: ... Mandriva Enterprise Server 5/X86_64: ...
    (Bugtraq)