Ubuntu Security Notice 1746-1 - Chris Wysopal discovered that Pidgin incorrectly handled file transfers in the MXit protocol handler. A remote attacker could use this issue to create or overwrite arbitrary files. This issue only affected Ubuntu 11.10, Ubuntu 12.04 LTS and Ubuntu 12.10. It was discovered that Pidgin incorrectly handled long HTTP headers in the MXit protocol handler. A malicious remote server could use this issue to execute arbitrary code. Various other issues were also addressed.
cab8da5f6e98651feb98f652311a38e0a1209f3942cdce9adda737ce25ba333d============================================================================
Ubuntu Security Notice USN-1746-1
February 25, 2013
pidgin vulnerabilities
============================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.10
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Pidgin.
Software Description:
- pidgin: graphical multi-protocol instant messaging client for X
Details:
Chris Wysopal discovered that Pidgin incorrectly handled file transfers in
the MXit protocol handler. A remote attacker could use this issue to create
or overwrite arbitrary files. This issue only affected Ubuntu 11.10,
Ubuntu 12.04 LTS and Ubuntu 12.10. (CVE-2013-0271)
It was discovered that Pidgin incorrectly handled long HTTP headers in the
MXit protocol handler. A malicious remote server could use this issue to
execute arbitrary code. (CVE-2013-0272)
It was discovered that Pidgin incorrectly handled long user IDs in the
Sametime protocol handler. A malicious remote server could use this issue
to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-0273)
It was discovered that Pidgin incorrectly handled long strings when
processing UPnP responses. A remote attacker could use this issue to cause
Pidgin to crash, resulting in a denial of service. (CVE-2013-0274)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.10:
libpurple0 1:2.10.6-0ubuntu2.2
pidgin 1:2.10.6-0ubuntu2.2
Ubuntu 12.04 LTS:
libpurple0 1:2.10.3-0ubuntu1.3
pidgin 1:2.10.3-0ubuntu1.3
Ubuntu 11.10:
libpurple0 1:2.10.0-0ubuntu2.2
pidgin 1:2.10.0-0ubuntu2.2
Ubuntu 10.04 LTS:
libpurple0 1:2.6.6-1ubuntu4.6
pidgin 1:2.6.6-1ubuntu4.6
After a standard system update you need to restart Pidgin to make all the
necessary changes.
References:
http://www.ubuntu.com/usn/usn-1746-1
CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274
Package Information:
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.3
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.0-0ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.6.6-1ubuntu4.6
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed