what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2010-002

Mandriva Linux Security Advisory 2010-002
Posted Jan 12, 2010
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2010-002 - Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. This update provides pidgin 2.6.5, which is not vulnerable to this issue.

tags | advisory, remote, arbitrary, protocol
systems | linux, mandriva
advisories | CVE-2010-0013
SHA-256 | ac9b6842791f7c730b551d92d7aafc5dc0382a32ff7a90cb3d3e9b3104c96f40
Download | Favorite | View

Mandriva Linux Security Advisory 2010-002

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:002
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : January 11, 2010
 Affected: 2010.0
 _______________________________________________________________________

 Problem Description:

 A security vulnerability has been identified and fixed in pidgin:
 
 Directory traversal vulnerability in slp.c in the MSN protocol
 plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
 remote attackers to read arbitrary files via a .. (dot dot) in an
 application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
 a related issue to CVE-2004-0122.  NOTE: it could be argued that
 this is resultant from a vulnerability in which an emoticon download
 request is processed even without a preceding text/x-mms-emoticon
 message that announced availability of the emoticon (CVE-2010-0013).
 
 This update provides pidgin 2.6.5, which is not vulnerable to this
 issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
 http://pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.0:
 0b141dc591a1677affc824e714c0bfa5  2010.0/i586/finch-2.6.5-0.1mdv2010.0.i586.rpm
 3d851548d89644efdfb701ba90c468da  2010.0/i586/libfinch0-2.6.5-0.1mdv2010.0.i586.rpm
 91a4b9783856ae2565c2cd3a9b27ebb6  2010.0/i586/libpurple0-2.6.5-0.1mdv2010.0.i586.rpm
 a0c9e1a42b96b117822968b581869513  2010.0/i586/libpurple-devel-2.6.5-0.1mdv2010.0.i586.rpm
 ec2f185f4aaf4a83fdd95d1ee5023c4c  2010.0/i586/pidgin-2.6.5-0.1mdv2010.0.i586.rpm
 aefdd5492a98e1823ba0c7286b3558b9  2010.0/i586/pidgin-bonjour-2.6.5-0.1mdv2010.0.i586.rpm
 92599926774c68178a399e8e6b680029  2010.0/i586/pidgin-client-2.6.5-0.1mdv2010.0.i586.rpm
 1d213714f4d9da85fd0bac7e793aa0d5  2010.0/i586/pidgin-gevolution-2.6.5-0.1mdv2010.0.i586.rpm
 a1e458dcd2c10987934208d9a18cd2b5  2010.0/i586/pidgin-i18n-2.6.5-0.1mdv2010.0.i586.rpm
 afc26ed9b344e3d4317fd7e32b88fa88  2010.0/i586/pidgin-meanwhile-2.6.5-0.1mdv2010.0.i586.rpm
 3233cfec46020dbff5ef6f6fa4a4025e  2010.0/i586/pidgin-mono-2.6.5-0.1mdv2010.0.i586.rpm
 48a5641b1104620aba0e2cbfa65a101f  2010.0/i586/pidgin-perl-2.6.5-0.1mdv2010.0.i586.rpm
 44461abfbd8bc983a1e440a331ddc823  2010.0/i586/pidgin-plugins-2.6.5-0.1mdv2010.0.i586.rpm
 80e0cedd0d60fe626dc5253db502e1bd  2010.0/i586/pidgin-silc-2.6.5-0.1mdv2010.0.i586.rpm
 531a6537d9bf005ee54aece14aa48eb6  2010.0/i586/pidgin-tcl-2.6.5-0.1mdv2010.0.i586.rpm 
 83d0f2b5bb31e313c53c4d40ca8fe1da  2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 e27d2817c814cf90bad7e205081402a2  2010.0/x86_64/finch-2.6.5-0.1mdv2010.0.x86_64.rpm
 611f230ca512ad0db64acc14ef06e148  2010.0/x86_64/lib64finch0-2.6.5-0.1mdv2010.0.x86_64.rpm
 8ae845e339ca97ebdd7f302eac3e5899  2010.0/x86_64/lib64purple0-2.6.5-0.1mdv2010.0.x86_64.rpm
 525a83c8cb39f1b8a5c54d1ee91d5e49  2010.0/x86_64/lib64purple-devel-2.6.5-0.1mdv2010.0.x86_64.rpm
 2ef31af24eb8a4c2706e67f941ad9fa3  2010.0/x86_64/pidgin-2.6.5-0.1mdv2010.0.x86_64.rpm
 f8d2d37e7e9f070ec94339c2a3b6b8f0  2010.0/x86_64/pidgin-bonjour-2.6.5-0.1mdv2010.0.x86_64.rpm
 45038a16defd0813f381fea1b184697a  2010.0/x86_64/pidgin-client-2.6.5-0.1mdv2010.0.x86_64.rpm
 9f48d1a4af0d24195610a0392f721acb  2010.0/x86_64/pidgin-gevolution-2.6.5-0.1mdv2010.0.x86_64.rpm
 6c7d1fcb4f0ba1a1b32d04ecaf51ce59  2010.0/x86_64/pidgin-i18n-2.6.5-0.1mdv2010.0.x86_64.rpm
 7efbc4ca6f8028476e6a842238d5e19c  2010.0/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2010.0.x86_64.rpm
 58f135d340961f21b7b7a37931c7bf1d  2010.0/x86_64/pidgin-mono-2.6.5-0.1mdv2010.0.x86_64.rpm
 798c84ae196fdedbeddb8d71374ce063  2010.0/x86_64/pidgin-perl-2.6.5-0.1mdv2010.0.x86_64.rpm
 507b908bb81dc61cd633fccea1023314  2010.0/x86_64/pidgin-plugins-2.6.5-0.1mdv2010.0.x86_64.rpm
 48518b319bc1c5a5a452be9ceb522763  2010.0/x86_64/pidgin-silc-2.6.5-0.1mdv2010.0.x86_64.rpm
 b38b6ee90af7cee2298ba8f191b7fcc6  2010.0/x86_64/pidgin-tcl-2.6.5-0.1mdv2010.0.x86_64.rpm 
 83d0f2b5bb31e313c53c4d40ca8fe1da  2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLS6HImqjQ0CJFipgRAtFeAKDDgB5ajBW96Sv5YBFoCprgN7m57gCbBWjf
aW7W6V/HuduwIHmOC3pXQhA=
=uVD5
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close