exploit the possibilities

Mandriva Linux Security Advisory 2011-132-1

Mandriva Linux Security Advisory 2011-132-1
Posted Sep 17, 2011
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2011-132 - Multiple vulnerabilities have been identified and fixed in pidgin. It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Various other issues were also addressed.

tags | advisory, remote, vulnerability
systems | linux, mandriva
advisories | CVE-2011-2485, CVE-2011-2943, CVE-2011-3184
MD5 | 5b28ab32a3b65ab9fef30a9280b235be

Mandriva Linux Security Advisory 2011-132-1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2011:132-1
http://www.mandriva.com/security/
_______________________________________________________________________

Package : pidgin
Date : September 17, 2011
Affected: 2011.
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been identified and fixed in pidgin:

It was found that the gdk-pixbuf GIF image loader routine
gdk_pixbuf__gif_image_load() did not properly handle certain return
values from its subroutines. A remote attacker could provide a
specially-crafted GIF image, which, once opened in Pidgin, would lead
gdk-pixbuf to return a partially initialized pixbuf structure. Using
this structure, possibly containing a huge width and height, could
lead to the application being terminated due to excessive memory use
(CVE-2011-2485).

Certain characters in the nicknames of IRC users can trigger a
null pointer dereference in the IRC protocol plugin's handling of
responses to WHO requests. This can cause a crash on some operating
systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected
(CVE-2011-2943).

Incorrect handling of HTTP 100 responses in the MSN protocol plugin
can cause the application to attempt to access memory that it does
not have access to. This only affects users who have turned on the
HTTP connection method for their accounts (it's off by default). This
might only be triggerable by a malicious server and not a malicious
peer. We believe remote code execution is not possible (CVE-2011-3184).

This update provides pidgin 2.10.0, which is not vulnerable to
these issues.

Update:

Packages for Mandriva Linux 2011 is now being provided as well. Enjoy!
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184
http://pidgin.im/news/security/
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2011:
f30d9eb8784ecc490e9267a3afd9681d 2011/i586/finch-2.10.0-0.1-mdv2011.0.i586.rpm
c3cef6e7db660c78a52241d427fe67c6 2011/i586/libfinch0-2.10.0-0.1-mdv2011.0.i586.rpm
b1bda00d68d706954d0a23ff13053bbe 2011/i586/libpurple0-2.10.0-0.1-mdv2011.0.i586.rpm
b1e05edaa2a234697a8618da370a5eba 2011/i586/libpurple-devel-2.10.0-0.1-mdv2011.0.i586.rpm
e8a6321eabf0e88b13a7121e06f88588 2011/i586/pidgin-2.10.0-0.1-mdv2011.0.i586.rpm
df8b6157762c34972b26959e9e0b8670 2011/i586/pidgin-bonjour-2.10.0-0.1-mdv2011.0.i586.rpm
323307becdb33612085c108356de0fe0 2011/i586/pidgin-client-2.10.0-0.1-mdv2011.0.i586.rpm
4ff033d530ce6925dc5c3c9516f0f71e 2011/i586/pidgin-gevolution-2.10.0-0.1-mdv2011.0.i586.rpm
e7282726de99c169675a927ee87e318d 2011/i586/pidgin-i18n-2.10.0-0.1-mdv2011.0.i586.rpm
5b0d0784b39a4fb7fb179e5083a4f0f6 2011/i586/pidgin-meanwhile-2.10.0-0.1-mdv2011.0.i586.rpm
0f3fbed0cdbb0cb9c0d8621d821d34c8 2011/i586/pidgin-perl-2.10.0-0.1-mdv2011.0.i586.rpm
9117f4f6cd51b274ebfe32b8df1355fb 2011/i586/pidgin-plugins-2.10.0-0.1-mdv2011.0.i586.rpm
da47178daab129eac1b2d334330ebe9b 2011/i586/pidgin-silc-2.10.0-0.1-mdv2011.0.i586.rpm
c694a44d5051390026fa75b7b71ad0a8 2011/i586/pidgin-tcl-2.10.0-0.1-mdv2011.0.i586.rpm
c33eef6270b588ee33df4ddaa968eab3 2011/SRPMS/pidgin-2.10.0-0.1.src.rpm

Mandriva Linux 2011/X86_64:
7cd751354229ed6dec93d7ec652758f7 2011/x86_64/finch-2.10.0-0.1-mdv2011.0.x86_64.rpm
14af8584523addd64e870ac6deb71bb6 2011/x86_64/lib64finch0-2.10.0-0.1-mdv2011.0.x86_64.rpm
fb55c6c1c349145794147f4e5e855f63 2011/x86_64/lib64purple0-2.10.0-0.1-mdv2011.0.x86_64.rpm
676eea02b713243dd259edac8260eaaf 2011/x86_64/lib64purple-devel-2.10.0-0.1-mdv2011.0.x86_64.rpm
de0cda6937539b552c605bb02547a606 2011/x86_64/pidgin-2.10.0-0.1-mdv2011.0.x86_64.rpm
c50b5acc263a44cfcfde9aba892aefb8 2011/x86_64/pidgin-bonjour-2.10.0-0.1-mdv2011.0.x86_64.rpm
95445621358bebfe246778e3195bd496 2011/x86_64/pidgin-client-2.10.0-0.1-mdv2011.0.x86_64.rpm
d32ef3d0c5f3e030dfe931cc11fcd0e5 2011/x86_64/pidgin-gevolution-2.10.0-0.1-mdv2011.0.x86_64.rpm
65ba1b2ee488d746fa45568d08f1ec6d 2011/x86_64/pidgin-i18n-2.10.0-0.1-mdv2011.0.x86_64.rpm
371e329ab6aa9f90131b37d971bb0520 2011/x86_64/pidgin-meanwhile-2.10.0-0.1-mdv2011.0.x86_64.rpm
2956fd8520f7a92cff7345d85b71f6a3 2011/x86_64/pidgin-perl-2.10.0-0.1-mdv2011.0.x86_64.rpm
11c8e87c57ecbee206b18e94dd2b0e7a 2011/x86_64/pidgin-plugins-2.10.0-0.1-mdv2011.0.x86_64.rpm
e1bf5b177d8f0c2e2107702dc14d55e5 2011/x86_64/pidgin-silc-2.10.0-0.1-mdv2011.0.x86_64.rpm
79fbeed99bac330be3028501122997af 2011/x86_64/pidgin-tcl-2.10.0-0.1-mdv2011.0.x86_64.rpm
c33eef6270b588ee33df4ddaa968eab3 2011/SRPMS/pidgin-2.10.0-0.1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFOdGhbmqjQ0CJFipgRAoq8AJ9Pbp2Bmq3TX9+DCZ1R6jYxA3E3wACgtpVd
z6JYlgJxgBisXqUFlmviPkc=
=wwem
-----END PGP SIGNATURE-----

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close