exploit the possibilities

Mandriva Linux Security Advisory 2010-001

Mandriva Linux Security Advisory 2010-001
Posted Jan 12, 2010
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2010-001 - The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client. Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides pidgin 2.6.5, which is not vulnerable to these issues.

tags | advisory, remote, denial of service, arbitrary, protocol
systems | linux, mandriva
advisories | CVE-2009-3615, CVE-2010-0013
MD5 | e5b03601138caff85338a39af21a4bfc

Mandriva Linux Security Advisory 2010-001

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2010:001
http://www.mandriva.com/security/
_______________________________________________________________________

Package : pidgin
Date : January 11, 2010
Affected: 2008.0, 2009.1, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Security vulnerabilities has been identified and fixed in pidgin:

The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium
before 1.3.7 allows remote attackers to cause a denial of service
(application crash) via crafted contact-list data for (1) ICQ and
possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615).

Directory traversal vulnerability in slp.c in the MSN protocol
plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
remote attackers to read arbitrary files via a .. (dot dot) in an
application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
a related issue to CVE-2004-0122. NOTE: it could be argued that
this is resultant from a vulnerability in which an emoticon download
request is processed even without a preceding text/x-mms-emoticon
message that announced availability of the emoticon (CVE-2010-0013).

Packages for 2008.0 are provided for Corporate Desktop 2008.0
customers.

This update provides pidgin 2.6.5, which is not vulnerable to these
issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3615
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
http://pidgin.im/news/security/
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
2c06bb10b976371e7300df80f21c9533 2008.0/i586/finch-2.6.5-0.1mdv2008.0.i586.rpm
eec4d32bc466fe61620058eef2811c59 2008.0/i586/libfinch0-2.6.5-0.1mdv2008.0.i586.rpm
c2e83523eef01b27c13030674f1821a6 2008.0/i586/libpurple0-2.6.5-0.1mdv2008.0.i586.rpm
c048d2e19a00b62bc0c191ebd5fa0be6 2008.0/i586/libpurple-devel-2.6.5-0.1mdv2008.0.i586.rpm
dfad05993ac7cf897035fa9f89cb356f 2008.0/i586/pidgin-2.6.5-0.1mdv2008.0.i586.rpm
4f8f5bbdaa24841787dc908bbd69b6c2 2008.0/i586/pidgin-bonjour-2.6.5-0.1mdv2008.0.i586.rpm
9069609e14ecedac948eada332204cba 2008.0/i586/pidgin-client-2.6.5-0.1mdv2008.0.i586.rpm
f4bba9135a059cc4e17cef81e4e67f4c 2008.0/i586/pidgin-gevolution-2.6.5-0.1mdv2008.0.i586.rpm
ac1fb16b6cb7aee737c8257cc08d10fd 2008.0/i586/pidgin-i18n-2.6.5-0.1mdv2008.0.i586.rpm
4d27f7e644d0a046bfaaa9f8e2730b1b 2008.0/i586/pidgin-meanwhile-2.6.5-0.1mdv2008.0.i586.rpm
ae1a27acc73fb0afdfcef69000164fff 2008.0/i586/pidgin-mono-2.6.5-0.1mdv2008.0.i586.rpm
d9e9cc8eea7b6d610c259387e1c0d793 2008.0/i586/pidgin-perl-2.6.5-0.1mdv2008.0.i586.rpm
1439d48d97f903914d4d1bce8c1b7a20 2008.0/i586/pidgin-plugins-2.6.5-0.1mdv2008.0.i586.rpm
8cae43bfd645f923ba49f6ec2e09f6ad 2008.0/i586/pidgin-silc-2.6.5-0.1mdv2008.0.i586.rpm
096a02afcc29a8d1baa34a670e2de632 2008.0/i586/pidgin-tcl-2.6.5-0.1mdv2008.0.i586.rpm
5aac126cfe57e39c1b4eba9e2152d0be 2008.0/SRPMS/pidgin-2.6.5-0.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
734f3c61defb540185b139769bab2d85 2008.0/x86_64/finch-2.6.5-0.1mdv2008.0.x86_64.rpm
2592d99b6a0dc93e761cf204d8669f3f 2008.0/x86_64/lib64finch0-2.6.5-0.1mdv2008.0.x86_64.rpm
2df77ea5193e8e235fe56ba020a9c411 2008.0/x86_64/lib64purple0-2.6.5-0.1mdv2008.0.x86_64.rpm
07476c00358bf692c911507376c1c61f 2008.0/x86_64/lib64purple-devel-2.6.5-0.1mdv2008.0.x86_64.rpm
71f2517d99316e3f31963941d9c36c06 2008.0/x86_64/pidgin-2.6.5-0.1mdv2008.0.x86_64.rpm
bd1217b2dc4587cfd38e0b8b2781bde7 2008.0/x86_64/pidgin-bonjour-2.6.5-0.1mdv2008.0.x86_64.rpm
5b2ef2c3a2f84c241f43f151d6713f37 2008.0/x86_64/pidgin-client-2.6.5-0.1mdv2008.0.x86_64.rpm
ec0e2975982a45eee3e37ecf07c356b5 2008.0/x86_64/pidgin-gevolution-2.6.5-0.1mdv2008.0.x86_64.rpm
d724e5fde2c4495883463a1d508e87c8 2008.0/x86_64/pidgin-i18n-2.6.5-0.1mdv2008.0.x86_64.rpm
8d2c6a64e63d24a2da8a130b967f048a 2008.0/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2008.0.x86_64.rpm
2aa347dceb072b18bbd6e2665c19b7b5 2008.0/x86_64/pidgin-mono-2.6.5-0.1mdv2008.0.x86_64.rpm
aa0c7bc1e0909f2a1c0a3a890e590263 2008.0/x86_64/pidgin-perl-2.6.5-0.1mdv2008.0.x86_64.rpm
f3c4f803f7d765da7dddc900fc2a8272 2008.0/x86_64/pidgin-plugins-2.6.5-0.1mdv2008.0.x86_64.rpm
9bacb42d819da7afa3ddc5cac0efb367 2008.0/x86_64/pidgin-silc-2.6.5-0.1mdv2008.0.x86_64.rpm
9caaf8618d807e9fd894cd4786a5792d 2008.0/x86_64/pidgin-tcl-2.6.5-0.1mdv2008.0.x86_64.rpm
5aac126cfe57e39c1b4eba9e2152d0be 2008.0/SRPMS/pidgin-2.6.5-0.1mdv2008.0.src.rpm

Mandriva Linux 2009.1:
269680b8627e14ab28ad538ec1794fc6 2009.1/i586/finch-2.6.5-0.1mdv2009.1.i586.rpm
3e8698694d5815efdb7087c83d798c91 2009.1/i586/libfinch0-2.6.5-0.1mdv2009.1.i586.rpm
647f99c4af50ce8048dce0501d5f40f1 2009.1/i586/libpurple0-2.6.5-0.1mdv2009.1.i586.rpm
24ed864184fe49d6c20619d56dd4e3cd 2009.1/i586/libpurple-devel-2.6.5-0.1mdv2009.1.i586.rpm
53c906b4480baaa17d4e238b1086206e 2009.1/i586/pidgin-2.6.5-0.1mdv2009.1.i586.rpm
ae1844987b0eb15307aabf6cc3da34a0 2009.1/i586/pidgin-bonjour-2.6.5-0.1mdv2009.1.i586.rpm
aae4869422c8dc493e081007a6f58371 2009.1/i586/pidgin-client-2.6.5-0.1mdv2009.1.i586.rpm
66a6b80410df0defb9485dc0bb27fb34 2009.1/i586/pidgin-gevolution-2.6.5-0.1mdv2009.1.i586.rpm
9b4f7905b504f711e67b26813dba9d0f 2009.1/i586/pidgin-i18n-2.6.5-0.1mdv2009.1.i586.rpm
72c819c5fde5e1f0bf0b0ffef243c1a8 2009.1/i586/pidgin-meanwhile-2.6.5-0.1mdv2009.1.i586.rpm
b1955f1ec6703f48e2b38ac7d9c729e8 2009.1/i586/pidgin-mono-2.6.5-0.1mdv2009.1.i586.rpm
09a3f76e8e1fc2a6779b4faab8a94cfd 2009.1/i586/pidgin-perl-2.6.5-0.1mdv2009.1.i586.rpm
42f2cff9243dd87d2408f33b4d73271a 2009.1/i586/pidgin-plugins-2.6.5-0.1mdv2009.1.i586.rpm
e3c679e80c9775621ea766dc9c6149d9 2009.1/i586/pidgin-silc-2.6.5-0.1mdv2009.1.i586.rpm
bfb8442e6b20082a70181aed3d1c783b 2009.1/i586/pidgin-tcl-2.6.5-0.1mdv2009.1.i586.rpm
fe01a680e95e685c145395daa0c74d6f 2009.1/SRPMS/pidgin-2.6.5-0.1mdv2009.1.src.rpm

Mandriva Linux 2009.1/X86_64:
bcb40187a5240d7a9a36f7a32b18d0ab 2009.1/x86_64/finch-2.6.5-0.1mdv2009.1.x86_64.rpm
303b977f8ba5f161b179b656338dc782 2009.1/x86_64/lib64finch0-2.6.5-0.1mdv2009.1.x86_64.rpm
25353cfeb50a9900c0a65cc9472ac560 2009.1/x86_64/lib64purple0-2.6.5-0.1mdv2009.1.x86_64.rpm
865bad4d662e745bbe33aa1e564d23c4 2009.1/x86_64/lib64purple-devel-2.6.5-0.1mdv2009.1.x86_64.rpm
da00b2139642b94b27c5710e88fe4892 2009.1/x86_64/pidgin-2.6.5-0.1mdv2009.1.x86_64.rpm
8e9972a9c5830ab95f4a09705a63edbd 2009.1/x86_64/pidgin-bonjour-2.6.5-0.1mdv2009.1.x86_64.rpm
3ac48c05904cc941e066fc526d6a0194 2009.1/x86_64/pidgin-client-2.6.5-0.1mdv2009.1.x86_64.rpm
7cfc8df430f206518e7e20bafd74ff34 2009.1/x86_64/pidgin-gevolution-2.6.5-0.1mdv2009.1.x86_64.rpm
8b17dc9cde60ddea83fa160626b52b1f 2009.1/x86_64/pidgin-i18n-2.6.5-0.1mdv2009.1.x86_64.rpm
c01072c3982576a6a039234dbed521f9 2009.1/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2009.1.x86_64.rpm
361edaf5081b515632511f25cb559c32 2009.1/x86_64/pidgin-mono-2.6.5-0.1mdv2009.1.x86_64.rpm
82d8bec4c950438f2e8a528dffa12680 2009.1/x86_64/pidgin-perl-2.6.5-0.1mdv2009.1.x86_64.rpm
471f5e692b146f8468e57e37a3c32e79 2009.1/x86_64/pidgin-plugins-2.6.5-0.1mdv2009.1.x86_64.rpm
3df1f0b5635450e109475b0c788dc076 2009.1/x86_64/pidgin-silc-2.6.5-0.1mdv2009.1.x86_64.rpm
d1a235325d92b8d197d24689e9bc8c91 2009.1/x86_64/pidgin-tcl-2.6.5-0.1mdv2009.1.x86_64.rpm
fe01a680e95e685c145395daa0c74d6f 2009.1/SRPMS/pidgin-2.6.5-0.1mdv2009.1.src.rpm

Mandriva Enterprise Server 5:
bda586297f58b893e9169c3633c42f19 mes5/i586/finch-2.6.5-0.1mdvmes5.i586.rpm
7a0b2fbd75e3aab0bc575019aaf3884e mes5/i586/libfinch0-2.6.5-0.1mdvmes5.i586.rpm
d79904ede6e7f2504d69c508d355be26 mes5/i586/libpurple0-2.6.5-0.1mdvmes5.i586.rpm
017b02bdae1fbc09535c5e69d8331ac0 mes5/i586/libpurple-devel-2.6.5-0.1mdvmes5.i586.rpm
2e49866970ecd0fb77fcfe935f2ab687 mes5/i586/pidgin-2.6.5-0.1mdvmes5.i586.rpm
c2053b02a640fcb18a67a87fb135b918 mes5/i586/pidgin-bonjour-2.6.5-0.1mdvmes5.i586.rpm
cfacfe3b1132029f8338760168c36493 mes5/i586/pidgin-client-2.6.5-0.1mdvmes5.i586.rpm
f7e79cf79d7d5eb8d21239e444ed44af mes5/i586/pidgin-gevolution-2.6.5-0.1mdvmes5.i586.rpm
6eb973f74a1b04e3f0b7c5f2291b09fc mes5/i586/pidgin-i18n-2.6.5-0.1mdvmes5.i586.rpm
ca8c9b034028bdfc840bbe5a6eb26d06 mes5/i586/pidgin-meanwhile-2.6.5-0.1mdvmes5.i586.rpm
6e6208113b5475f7b85f2bb29704800d mes5/i586/pidgin-mono-2.6.5-0.1mdvmes5.i586.rpm
08b7a161b9c0a51a2499484db4e1fe79 mes5/i586/pidgin-perl-2.6.5-0.1mdvmes5.i586.rpm
0244133ee014473952027563d11d6add mes5/i586/pidgin-plugins-2.6.5-0.1mdvmes5.i586.rpm
80f4a562dfa690d2e8f0a8c5311e120e mes5/i586/pidgin-silc-2.6.5-0.1mdvmes5.i586.rpm
83b3232cf6c66d92dabb774c0def6614 mes5/i586/pidgin-tcl-2.6.5-0.1mdvmes5.i586.rpm
9ce0bda8ac562159dc716138c241a100 mes5/SRPMS/pidgin-2.6.5-0.1mdvmes5.src.rpm

Mandriva Enterprise Server 5/X86_64:
f6e4c01ec1f48943b9e89ce2c953c4e1 mes5/x86_64/finch-2.6.5-0.1mdvmes5.x86_64.rpm
49eb1dc9677e41b7307400ab7ca2ee27 mes5/x86_64/lib64finch0-2.6.5-0.1mdvmes5.x86_64.rpm
18321beef2d26e1593b33f8ebb5ec1ae mes5/x86_64/lib64purple0-2.6.5-0.1mdvmes5.x86_64.rpm
c8b713e36ca72076f2a5b5eaf33ad135 mes5/x86_64/lib64purple-devel-2.6.5-0.1mdvmes5.x86_64.rpm
2c6f8d365eb937484d511655c5aa7aa3 mes5/x86_64/pidgin-2.6.5-0.1mdvmes5.x86_64.rpm
8cf704c47329f08e6b537e227d0c9940 mes5/x86_64/pidgin-bonjour-2.6.5-0.1mdvmes5.x86_64.rpm
ce206f00542b4107b5beb35a98bde3f1 mes5/x86_64/pidgin-client-2.6.5-0.1mdvmes5.x86_64.rpm
b872c17b1593e47f3507a16489e99133 mes5/x86_64/pidgin-gevolution-2.6.5-0.1mdvmes5.x86_64.rpm
152a57c69c14a94a77c4d8a3f7171eca mes5/x86_64/pidgin-i18n-2.6.5-0.1mdvmes5.x86_64.rpm
d84d73937497757ff25a7b930b33e71f mes5/x86_64/pidgin-meanwhile-2.6.5-0.1mdvmes5.x86_64.rpm
4fcc66ad7165b1478a1f9eb1b9ed983b mes5/x86_64/pidgin-mono-2.6.5-0.1mdvmes5.x86_64.rpm
8fec99559e791f5f60eb54cafce66c61 mes5/x86_64/pidgin-perl-2.6.5-0.1mdvmes5.x86_64.rpm
d5e01fb2c9062c0e5994543bc36f9b0e mes5/x86_64/pidgin-plugins-2.6.5-0.1mdvmes5.x86_64.rpm
35d7b9c4fdb6a48730992b7a7f6bb533 mes5/x86_64/pidgin-silc-2.6.5-0.1mdvmes5.x86_64.rpm
663736889037e7c6ffe8c31ac0e53e70 mes5/x86_64/pidgin-tcl-2.6.5-0.1mdvmes5.x86_64.rpm
9ce0bda8ac562159dc716138c241a100 mes5/SRPMS/pidgin-2.6.5-0.1mdvmes5.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLS5dWmqjQ0CJFipgRAuqOAJ9ZWf6gqrDNe0RfHMH2YbI3sKR7RwCcDVeC
TnSrShrUf1HCLIkglWLyznA=
=g4Z0
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    1 Files
  • 20
    Sep 20th
    1 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    21 Files
  • 23
    Sep 23rd
    8 Files
  • 24
    Sep 24th
    15 Files
  • 25
    Sep 25th
    4 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close