-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:085 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pidgin Date : April 28, 2010 Affected: 2009.0 _______________________________________________________________________ Problem Description: Security vulnerabilities has been identified and fixed in pidgin: The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277). In a user in a multi-user chat room has a nickname containing '
' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420). oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423). Packages for 2009.0 are provided due to the Extended Maintenance Program. This update provides pidgin 2.6.6, which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3615 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423 http://pidgin.im/news/security/ _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: ff6ea030872577e6b0554d9ad92a396a 2009.0/i586/finch-2.6.6-0.1mdv2009.0.i586.rpm af78075de6309e9b6bee73321c26407f 2009.0/i586/libfinch0-2.6.6-0.1mdv2009.0.i586.rpm 844a556786c447a1ca145701079fdbdf 2009.0/i586/libpurple0-2.6.6-0.1mdv2009.0.i586.rpm 07909a8b9a8dc94d32d4334887f95e60 2009.0/i586/libpurple-devel-2.6.6-0.1mdv2009.0.i586.rpm add7f860c109470332a924abdde94867 2009.0/i586/pidgin-2.6.6-0.1mdv2009.0.i586.rpm 473b623dd01143484f56aeec8198c038 2009.0/i586/pidgin-bonjour-2.6.6-0.1mdv2009.0.i586.rpm ebbc0a0da115f42d557086d92952a593 2009.0/i586/pidgin-client-2.6.6-0.1mdv2009.0.i586.rpm c2e797ac95c71799df4c5e07655c7102 2009.0/i586/pidgin-gevolution-2.6.6-0.1mdv2009.0.i586.rpm b96046816302e5bb7f671282534acebe 2009.0/i586/pidgin-i18n-2.6.6-0.1mdv2009.0.i586.rpm 312ea5008d2d2925e146c097a042a2bc 2009.0/i586/pidgin-meanwhile-2.6.6-0.1mdv2009.0.i586.rpm c1deaff7c0b2bcc8287b4e2d44a917b4 2009.0/i586/pidgin-mono-2.6.6-0.1mdv2009.0.i586.rpm 8966ecdef85c226fd04331a71a8d59a3 2009.0/i586/pidgin-perl-2.6.6-0.1mdv2009.0.i586.rpm 615e6e69dc77419a52df58f9500f3278 2009.0/i586/pidgin-plugins-2.6.6-0.1mdv2009.0.i586.rpm 6c5d548b6aead8023952b710662a0fdd 2009.0/i586/pidgin-silc-2.6.6-0.1mdv2009.0.i586.rpm 4c7e7cf01343077a7d880b049bfbeb89 2009.0/i586/pidgin-tcl-2.6.6-0.1mdv2009.0.i586.rpm bc18b444b5c2c5bf1e6dbf5b350d120c 2009.0/SRPMS/pidgin-2.6.6-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 73f00980b1022b260483fb1186a8a857 2009.0/x86_64/finch-2.6.6-0.1mdv2009.0.x86_64.rpm 098f9f209c84f4f3cff9eebb225df45c 2009.0/x86_64/lib64finch0-2.6.6-0.1mdv2009.0.x86_64.rpm 4365bea65c0ef5b7d027820056c43ee7 2009.0/x86_64/lib64purple0-2.6.6-0.1mdv2009.0.x86_64.rpm 03790a91d3c7b2e40b23ffe5bd596d7f 2009.0/x86_64/lib64purple-devel-2.6.6-0.1mdv2009.0.x86_64.rpm f0c784c60d1906840cb37dd164386009 2009.0/x86_64/pidgin-2.6.6-0.1mdv2009.0.x86_64.rpm e126ad8f718245f969a07e68aac4ce75 2009.0/x86_64/pidgin-bonjour-2.6.6-0.1mdv2009.0.x86_64.rpm 5cb631dd7e07bd657dede89674ab0604 2009.0/x86_64/pidgin-client-2.6.6-0.1mdv2009.0.x86_64.rpm bda2495720a394af0ff148b43c814e5d 2009.0/x86_64/pidgin-gevolution-2.6.6-0.1mdv2009.0.x86_64.rpm 6b51ecdb5b1c9b24caa0c04c67e5fa32 2009.0/x86_64/pidgin-i18n-2.6.6-0.1mdv2009.0.x86_64.rpm cc23c3e478f8b4b923fa34128bf729eb 2009.0/x86_64/pidgin-meanwhile-2.6.6-0.1mdv2009.0.x86_64.rpm 7b569dc8c9584ae594165b0e985cc671 2009.0/x86_64/pidgin-mono-2.6.6-0.1mdv2009.0.x86_64.rpm 37b896476f725311f108e56758674a6e 2009.0/x86_64/pidgin-perl-2.6.6-0.1mdv2009.0.x86_64.rpm 2e5eda0cde9ad8105dab80080a14c361 2009.0/x86_64/pidgin-plugins-2.6.6-0.1mdv2009.0.x86_64.rpm 2d0ab0df7212fd47ba891974d8ac87f7 2009.0/x86_64/pidgin-silc-2.6.6-0.1mdv2009.0.x86_64.rpm 2790d06426db09a03d27771acb38dcbc 2009.0/x86_64/pidgin-tcl-2.6.6-0.1mdv2009.0.x86_64.rpm bc18b444b5c2c5bf1e6dbf5b350d120c 2009.0/SRPMS/pidgin-2.6.6-0.1mdv2009.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFL2Fd7mqjQ0CJFipgRAvr2AKDwDW5HBKUXiYetxt285+rGrk/qmACgoHgG 0FjESzgHRyeSwqrTjtwz4v0= =kXr/ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/