-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:025 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : pidgin Date : March 14, 2013 Affected: Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in pidgin: The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname (CVE-2013-0271). Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header (CVE-2013-0272). sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet (CVE-2013-0273). upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network (CVE-2013-0274). This update provides pidgin 2.10.7, which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274 http://www.pidgin.im/news/security/ _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 4eb267f970ddb2ad4d62321c269d4a9b mes5/i586/finch-2.10.7-0.1mdvmes5.2.i586.rpm e21539113c76768f5d2e0a0a4a9f6cbc mes5/i586/libfinch0-2.10.7-0.1mdvmes5.2.i586.rpm 19fcd2343bc5a28cfac82570047dabc8 mes5/i586/libpurple0-2.10.7-0.1mdvmes5.2.i586.rpm 1d1ec13029069d2e5670ecd9e5c2c084 mes5/i586/libpurple-devel-2.10.7-0.1mdvmes5.2.i586.rpm 24f8bc13c74be1366165f8c04d4b67ac mes5/i586/pidgin-2.10.7-0.1mdvmes5.2.i586.rpm fe6749ec8865e5cc96b16ddce0606e25 mes5/i586/pidgin-bonjour-2.10.7-0.1mdvmes5.2.i586.rpm 76f84decf6d5834037ccf6b9ed4c68d9 mes5/i586/pidgin-client-2.10.7-0.1mdvmes5.2.i586.rpm 41f63fd40174df1160a63ef44d881c3c mes5/i586/pidgin-gevolution-2.10.7-0.1mdvmes5.2.i586.rpm 936c150819cd7e8ac19e5f2d02bb684d mes5/i586/pidgin-i18n-2.10.7-0.1mdvmes5.2.i586.rpm 7c1d22d3777f7c49f7d49b09a1d43811 mes5/i586/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.i586.rpm ca57564f29f191f3bae55c9ce6255234 mes5/i586/pidgin-perl-2.10.7-0.1mdvmes5.2.i586.rpm 1882da3624a8dc8e27a51f3c867dbc88 mes5/i586/pidgin-plugins-2.10.7-0.1mdvmes5.2.i586.rpm 37ee0fe3a08d109f069de07f8a218f27 mes5/i586/pidgin-silc-2.10.7-0.1mdvmes5.2.i586.rpm 4d8bbdce9ce0e3b1ec663f4df384c70b mes5/i586/pidgin-tcl-2.10.7-0.1mdvmes5.2.i586.rpm d8390c286670e49deee241267eb5070e mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 00fb4dc53fd8cbf056d493ca75231d1c mes5/x86_64/finch-2.10.7-0.1mdvmes5.2.x86_64.rpm f0a81cae3067ba8fa47f603af718e1bd mes5/x86_64/lib64finch0-2.10.7-0.1mdvmes5.2.x86_64.rpm d50e2f1821a4912639b20fa678d4538b mes5/x86_64/lib64purple0-2.10.7-0.1mdvmes5.2.x86_64.rpm 5a73a3d942a97d581a5b89bfcc550be3 mes5/x86_64/lib64purple-devel-2.10.7-0.1mdvmes5.2.x86_64.rpm 337ca23774f09a1f6e60d02ba1bdef3f mes5/x86_64/pidgin-2.10.7-0.1mdvmes5.2.x86_64.rpm 49d7a34e3af48fbf49d59a8dad1ca3fb mes5/x86_64/pidgin-bonjour-2.10.7-0.1mdvmes5.2.x86_64.rpm 53099ab83b0f4351d3668e2f84e6d2fa mes5/x86_64/pidgin-client-2.10.7-0.1mdvmes5.2.x86_64.rpm 31dc403c7863624346efaaa46027b3d1 mes5/x86_64/pidgin-gevolution-2.10.7-0.1mdvmes5.2.x86_64.rpm 1ae8ab836a6caffa77b99fe6e5de31ae mes5/x86_64/pidgin-i18n-2.10.7-0.1mdvmes5.2.x86_64.rpm beea935bc761483e50e5ec60bfeaa2a5 mes5/x86_64/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.x86_64.rpm 8d6abe0c106b5f9d24917cdad13ef668 mes5/x86_64/pidgin-perl-2.10.7-0.1mdvmes5.2.x86_64.rpm 616204b1f131bf39fd77758765052286 mes5/x86_64/pidgin-plugins-2.10.7-0.1mdvmes5.2.x86_64.rpm 60ef462c8b8f28b4280169a6bac8d22f mes5/x86_64/pidgin-silc-2.10.7-0.1mdvmes5.2.x86_64.rpm 78026cbae2cfdb327d64ed6b6b3fcc51 mes5/x86_64/pidgin-tcl-2.10.7-0.1mdvmes5.2.x86_64.rpm d8390c286670e49deee241267eb5070e mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFRQYu3mqjQ0CJFipgRAr58AKDQLYGYW+NZgX602GRUgztcWcdlQQCeOwkZ 4zmmI8O7HUx/x0D8R4nidvU= =Dsq6 -----END PGP SIGNATURE-----
