exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2013-025

Mandriva Linux Security Advisory 2013-025
Posted Mar 14, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-025 - The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted mxit/imagestrips pathname. Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header. sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service via a crafted packet. upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service by leveraging access to the local network. This update provides pidgin 2.10.7, which is not vulnerable to these issues.

tags | advisory, remote, web, denial of service, overflow, arbitrary, local, protocol
systems | linux, mandriva
advisories | CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274
SHA-256 | 1947a7196d370ec292c6d6196bc378f7ab94ffd059b4a95d0ad67f48a214a6e6

Mandriva Linux Security Advisory 2013-025

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2013:025
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : pidgin
Date : March 14, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been discovered and corrected in pidgin:

The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might
allow remote attackers to create or overwrite files via a crafted
(1) mxit or (2) mxit/imagestrips pathname (CVE-2013-0271).

Buffer overflow in http.c in the MXit protocol plugin in libpurple
in Pidgin before 2.10.7 allows remote servers to execute arbitrary
code via a long HTTP header (CVE-2013-0272).

sametime.c in the Sametime protocol plugin in libpurple in Pidgin
before 2.10.7 does not properly terminate long user IDs, which allows
remote servers to cause a denial of service (application crash)
via a crafted packet (CVE-2013-0273).

upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate
long strings in UPnP responses, which allows remote attackers to
cause a denial of service (application crash) by leveraging access
to the local network (CVE-2013-0274).

This update provides pidgin 2.10.7, which is not vulnerable to
these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274
http://www.pidgin.im/news/security/
_______________________________________________________________________

Updated Packages:

Mandriva Enterprise Server 5:
4eb267f970ddb2ad4d62321c269d4a9b mes5/i586/finch-2.10.7-0.1mdvmes5.2.i586.rpm
e21539113c76768f5d2e0a0a4a9f6cbc mes5/i586/libfinch0-2.10.7-0.1mdvmes5.2.i586.rpm
19fcd2343bc5a28cfac82570047dabc8 mes5/i586/libpurple0-2.10.7-0.1mdvmes5.2.i586.rpm
1d1ec13029069d2e5670ecd9e5c2c084 mes5/i586/libpurple-devel-2.10.7-0.1mdvmes5.2.i586.rpm
24f8bc13c74be1366165f8c04d4b67ac mes5/i586/pidgin-2.10.7-0.1mdvmes5.2.i586.rpm
fe6749ec8865e5cc96b16ddce0606e25 mes5/i586/pidgin-bonjour-2.10.7-0.1mdvmes5.2.i586.rpm
76f84decf6d5834037ccf6b9ed4c68d9 mes5/i586/pidgin-client-2.10.7-0.1mdvmes5.2.i586.rpm
41f63fd40174df1160a63ef44d881c3c mes5/i586/pidgin-gevolution-2.10.7-0.1mdvmes5.2.i586.rpm
936c150819cd7e8ac19e5f2d02bb684d mes5/i586/pidgin-i18n-2.10.7-0.1mdvmes5.2.i586.rpm
7c1d22d3777f7c49f7d49b09a1d43811 mes5/i586/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.i586.rpm
ca57564f29f191f3bae55c9ce6255234 mes5/i586/pidgin-perl-2.10.7-0.1mdvmes5.2.i586.rpm
1882da3624a8dc8e27a51f3c867dbc88 mes5/i586/pidgin-plugins-2.10.7-0.1mdvmes5.2.i586.rpm
37ee0fe3a08d109f069de07f8a218f27 mes5/i586/pidgin-silc-2.10.7-0.1mdvmes5.2.i586.rpm
4d8bbdce9ce0e3b1ec663f4df384c70b mes5/i586/pidgin-tcl-2.10.7-0.1mdvmes5.2.i586.rpm
d8390c286670e49deee241267eb5070e mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm

Mandriva Enterprise Server 5/X86_64:
00fb4dc53fd8cbf056d493ca75231d1c mes5/x86_64/finch-2.10.7-0.1mdvmes5.2.x86_64.rpm
f0a81cae3067ba8fa47f603af718e1bd mes5/x86_64/lib64finch0-2.10.7-0.1mdvmes5.2.x86_64.rpm
d50e2f1821a4912639b20fa678d4538b mes5/x86_64/lib64purple0-2.10.7-0.1mdvmes5.2.x86_64.rpm
5a73a3d942a97d581a5b89bfcc550be3 mes5/x86_64/lib64purple-devel-2.10.7-0.1mdvmes5.2.x86_64.rpm
337ca23774f09a1f6e60d02ba1bdef3f mes5/x86_64/pidgin-2.10.7-0.1mdvmes5.2.x86_64.rpm
49d7a34e3af48fbf49d59a8dad1ca3fb mes5/x86_64/pidgin-bonjour-2.10.7-0.1mdvmes5.2.x86_64.rpm
53099ab83b0f4351d3668e2f84e6d2fa mes5/x86_64/pidgin-client-2.10.7-0.1mdvmes5.2.x86_64.rpm
31dc403c7863624346efaaa46027b3d1 mes5/x86_64/pidgin-gevolution-2.10.7-0.1mdvmes5.2.x86_64.rpm
1ae8ab836a6caffa77b99fe6e5de31ae mes5/x86_64/pidgin-i18n-2.10.7-0.1mdvmes5.2.x86_64.rpm
beea935bc761483e50e5ec60bfeaa2a5 mes5/x86_64/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.x86_64.rpm
8d6abe0c106b5f9d24917cdad13ef668 mes5/x86_64/pidgin-perl-2.10.7-0.1mdvmes5.2.x86_64.rpm
616204b1f131bf39fd77758765052286 mes5/x86_64/pidgin-plugins-2.10.7-0.1mdvmes5.2.x86_64.rpm
60ef462c8b8f28b4280169a6bac8d22f mes5/x86_64/pidgin-silc-2.10.7-0.1mdvmes5.2.x86_64.rpm
78026cbae2cfdb327d64ed6b6b3fcc51 mes5/x86_64/pidgin-tcl-2.10.7-0.1mdvmes5.2.x86_64.rpm
d8390c286670e49deee241267eb5070e mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFRQYu3mqjQ0CJFipgRAr58AKDQLYGYW+NZgX602GRUgztcWcdlQQCeOwkZ
4zmmI8O7HUx/x0D8R4nidvU=
=Dsq6
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close