-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:147 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pidgin Date : June 30, 2009 Affected: 2009.0, 2009.1 _______________________________________________________________________ Problem Description: Security vulnerabilities has been identified and fixed in pidgin: Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (formerly Gaim) before 2.5.6 allows remote authenticated users to execute arbitrary code via vectors involving an outbound XMPP file transfer. NOTE: some of these details are obtained from third party information (CVE-2009-1373). Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim) before 2.5.6 allows remote attackers to cause a denial of service (application crash) via a QQ packet (CVE-2009-1374). The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2.5.6 does not properly maintain a certain buffer, which allows remote attackers to cause a denial of service (memory corruption and application crash) via vectors involving the (1) XMPP or (2) Sametime protocol (CVE-2009-1375). Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927 (CVE-2009-1376). This update provides pidgin 2.5.8, which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376 http://pidgin.im/news/security/ _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 0b9c5812047b6913b62d962d6b2e23ce 2009.0/i586/finch-2.5.8-0.2mdv2009.0.i586.rpm 2e163af32cb31fcbadb823def93ed7f8 2009.0/i586/libfinch0-2.5.8-0.2mdv2009.0.i586.rpm 8ac2c52ffdab796e3dad1d38733064ff 2009.0/i586/libpurple0-2.5.8-0.2mdv2009.0.i586.rpm f0db58c858207f9560548d949b48d261 2009.0/i586/libpurple-devel-2.5.8-0.2mdv2009.0.i586.rpm 5169c7ebe58ae7180849d7ed517121c8 2009.0/i586/pidgin-2.5.8-0.2mdv2009.0.i586.rpm 4d13d3689764970fa898c1fad1cc5764 2009.0/i586/pidgin-bonjour-2.5.8-0.2mdv2009.0.i586.rpm a1830c84222ffc88855d8eb92c859641 2009.0/i586/pidgin-client-2.5.8-0.2mdv2009.0.i586.rpm bf2b1e97c096cc0448d808a4a88b3f3e 2009.0/i586/pidgin-gevolution-2.5.8-0.2mdv2009.0.i586.rpm f7fc2376cacab7d26ae56ee6b64349a0 2009.0/i586/pidgin-i18n-2.5.8-0.2mdv2009.0.i586.rpm edaa8098fc045f2d62eb34520a15dc3f 2009.0/i586/pidgin-meanwhile-2.5.8-0.2mdv2009.0.i586.rpm 11ffe25c191b1e3e9960ed082390f7c4 2009.0/i586/pidgin-mono-2.5.8-0.2mdv2009.0.i586.rpm 7c52bfd76a126296d01db5f91070697e 2009.0/i586/pidgin-perl-2.5.8-0.2mdv2009.0.i586.rpm f1a0e77257376b4ae76d3860798a1f48 2009.0/i586/pidgin-plugins-2.5.8-0.2mdv2009.0.i586.rpm d9d098ba185b307bd6a1841e34b6f34f 2009.0/i586/pidgin-silc-2.5.8-0.2mdv2009.0.i586.rpm 85e866aa7309873647ee6dbd8e25f19b 2009.0/i586/pidgin-tcl-2.5.8-0.2mdv2009.0.i586.rpm f58c790083e6cbe2e18ca162368b8222 2009.0/SRPMS/pidgin-2.5.8-0.2mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 1261bbf57c000e72386cc2527b5dc36f 2009.0/x86_64/finch-2.5.8-0.2mdv2009.0.x86_64.rpm a8e36217c7bb9382fec36b3678d7f22a 2009.0/x86_64/lib64finch0-2.5.8-0.2mdv2009.0.x86_64.rpm cc68a1500a192bcd1e1e74b01bfa88f6 2009.0/x86_64/lib64purple0-2.5.8-0.2mdv2009.0.x86_64.rpm b023996495bfccbcc42546ee50d86cb8 2009.0/x86_64/lib64purple-devel-2.5.8-0.2mdv2009.0.x86_64.rpm 483d34d8c6dbd627c8f42ca7026c4891 2009.0/x86_64/pidgin-2.5.8-0.2mdv2009.0.x86_64.rpm dd297e049a355c5a577fd6ff05fa8e1a 2009.0/x86_64/pidgin-bonjour-2.5.8-0.2mdv2009.0.x86_64.rpm 99552bd5cdc82dbcc654fce15f61d092 2009.0/x86_64/pidgin-client-2.5.8-0.2mdv2009.0.x86_64.rpm b18bb378d4113d39cfd7f688b1d7d0e4 2009.0/x86_64/pidgin-gevolution-2.5.8-0.2mdv2009.0.x86_64.rpm ddffc838f823bd823da1f9590ec70b92 2009.0/x86_64/pidgin-i18n-2.5.8-0.2mdv2009.0.x86_64.rpm a5144eb447ec121820eae2d95429634a 2009.0/x86_64/pidgin-meanwhile-2.5.8-0.2mdv2009.0.x86_64.rpm 864a95349dc2f85f41d337f35f7e22d0 2009.0/x86_64/pidgin-mono-2.5.8-0.2mdv2009.0.x86_64.rpm 40117254cd1226cd29e233c48de1b6e2 2009.0/x86_64/pidgin-perl-2.5.8-0.2mdv2009.0.x86_64.rpm 45e24144e272a726ece9206bf2d7ca37 2009.0/x86_64/pidgin-plugins-2.5.8-0.2mdv2009.0.x86_64.rpm 7966dacf3a120cb25d463ae6cc96da66 2009.0/x86_64/pidgin-silc-2.5.8-0.2mdv2009.0.x86_64.rpm c2f86df2348c18f6f88f0f044fc0858c 2009.0/x86_64/pidgin-tcl-2.5.8-0.2mdv2009.0.x86_64.rpm f58c790083e6cbe2e18ca162368b8222 2009.0/SRPMS/pidgin-2.5.8-0.2mdv2009.0.src.rpm Mandriva Linux 2009.1: f67e4c3f8d66c7f41d138a0786bf002b 2009.1/i586/finch-2.5.8-0.2mdv2009.1.i586.rpm a1458b3a10086562af8588b14a6e7648 2009.1/i586/libfinch0-2.5.8-0.2mdv2009.1.i586.rpm 9369bcf4e812f4085f0db10301f052ad 2009.1/i586/libpurple0-2.5.8-0.2mdv2009.1.i586.rpm 92f4b3e3fc1380dccbbc5b1d34cc3893 2009.1/i586/libpurple-devel-2.5.8-0.2mdv2009.1.i586.rpm 2146bd6f5200d0f92678481f4a570f14 2009.1/i586/pidgin-2.5.8-0.2mdv2009.1.i586.rpm cfcd5d1fa2d5526c28fc63ac458ef0ef 2009.1/i586/pidgin-bonjour-2.5.8-0.2mdv2009.1.i586.rpm 6e3afaf1f4838268abef2ce4d285ff9f 2009.1/i586/pidgin-client-2.5.8-0.2mdv2009.1.i586.rpm de326d636c98402ffdc1ee1e2e0daa4b 2009.1/i586/pidgin-gevolution-2.5.8-0.2mdv2009.1.i586.rpm e7b3ff08b89ae7d3bd3ac06edbda2e34 2009.1/i586/pidgin-i18n-2.5.8-0.2mdv2009.1.i586.rpm 18991a44ed768591999de24430f0243b 2009.1/i586/pidgin-meanwhile-2.5.8-0.2mdv2009.1.i586.rpm 1cdd6f5ef69508e38354e24dea17e1a9 2009.1/i586/pidgin-mono-2.5.8-0.2mdv2009.1.i586.rpm 35188862c9641d841e85f5b22dad7449 2009.1/i586/pidgin-perl-2.5.8-0.2mdv2009.1.i586.rpm 7d4e325b6008d26458291e7b7951eaec 2009.1/i586/pidgin-plugins-2.5.8-0.2mdv2009.1.i586.rpm e6c6d611f2f3085920a2715b6f1d01d8 2009.1/i586/pidgin-silc-2.5.8-0.2mdv2009.1.i586.rpm 0cadc9118ed484b073560423be0feaf4 2009.1/i586/pidgin-tcl-2.5.8-0.2mdv2009.1.i586.rpm ebb50e4b0a97cc460e2d8486f3c01eed 2009.1/SRPMS/pidgin-2.5.8-0.2mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: d1b2d58b4e4c931e45c331b888ef1084 2009.1/x86_64/finch-2.5.8-0.2mdv2009.1.x86_64.rpm 57cc9ff2f0f54697c2490fbd8726b181 2009.1/x86_64/lib64finch0-2.5.8-0.2mdv2009.1.x86_64.rpm 7606985a068954fca5d16d7333ff2222 2009.1/x86_64/lib64purple0-2.5.8-0.2mdv2009.1.x86_64.rpm 6114731e237d3e5c066edc6a5a40290e 2009.1/x86_64/lib64purple-devel-2.5.8-0.2mdv2009.1.x86_64.rpm 66c33bfa51bdc6a125c776f76486f29e 2009.1/x86_64/pidgin-2.5.8-0.2mdv2009.1.x86_64.rpm fc0d59febb37fd8422a57dd759130bb8 2009.1/x86_64/pidgin-bonjour-2.5.8-0.2mdv2009.1.x86_64.rpm d781057e99674e435243a6fc1ccd9c50 2009.1/x86_64/pidgin-client-2.5.8-0.2mdv2009.1.x86_64.rpm 0ce092cc85f8024e33361f488ff5f617 2009.1/x86_64/pidgin-gevolution-2.5.8-0.2mdv2009.1.x86_64.rpm 0db0e946667615e20c3ce2aae0c8c840 2009.1/x86_64/pidgin-i18n-2.5.8-0.2mdv2009.1.x86_64.rpm 8ac630cc5228aabd7c64ebad0708dfbc 2009.1/x86_64/pidgin-meanwhile-2.5.8-0.2mdv2009.1.x86_64.rpm 71843c7958e5e037137ac62f52ec59a8 2009.1/x86_64/pidgin-mono-2.5.8-0.2mdv2009.1.x86_64.rpm 2b3a2fccde7218a226f07497ab18acda 2009.1/x86_64/pidgin-perl-2.5.8-0.2mdv2009.1.x86_64.rpm 6c13aed8b7090e0ce146b64fe479e822 2009.1/x86_64/pidgin-plugins-2.5.8-0.2mdv2009.1.x86_64.rpm 81ffeb84eea5f93f0e94e7035c858107 2009.1/x86_64/pidgin-silc-2.5.8-0.2mdv2009.1.x86_64.rpm 93ef210add576d311aa2a033cef3c77c 2009.1/x86_64/pidgin-tcl-2.5.8-0.2mdv2009.1.x86_64.rpm ebb50e4b0a97cc460e2d8486f3c01eed 2009.1/SRPMS/pidgin-2.5.8-0.2mdv2009.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKSkfAmqjQ0CJFipgRAjXiAJ0e+atKRUTzOr6SQ+DgOHwOvk02qgCeMPFg +H4DlSU9YzPLzeKFhKFdE94= =uRxq -----END PGP SIGNATURE-----
