-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:132 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pidgin Date : September 6, 2011 Affected: 2009.0, 2010.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been identified and fixed in pidgin: It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Using this structure, possibly containing a huge width and height, could lead to the application being terminated due to excessive memory use (CVE-2011-2485). Certain characters in the nicknames of IRC users can trigger a null pointer dereference in the IRC protocol plugin's handling of responses to WHO requests. This can cause a crash on some operating systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected (CVE-2011-2943). Incorrect handling of HTTP 100 responses in the MSN protocol plugin can cause the application to attempt to access memory that it does not have access to. This only affects users who have turned on the HTTP connection method for their accounts (it's off by default). This might only be triggerable by a malicious server and not a malicious peer. We believe remote code execution is not possible (CVE-2011-3184). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 This update provides pidgin 2.10.0, which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184 http://pidgin.im/news/security/ _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 9691deaad1615375a6c96002da7de57b 2009.0/i586/finch-2.10.0-0.1mdv2009.0.i586.rpm eed6d45dede5d4ab8bc775d088577f8a 2009.0/i586/libfinch0-2.10.0-0.1mdv2009.0.i586.rpm aaeffe8dfc8088f8e75e1646c8803786 2009.0/i586/libpurple0-2.10.0-0.1mdv2009.0.i586.rpm 429d026faa1969f6c7f2ee2aba74e6f4 2009.0/i586/libpurple-devel-2.10.0-0.1mdv2009.0.i586.rpm 01da4c0f516a35076222558b8c0f42c3 2009.0/i586/pidgin-2.10.0-0.1mdv2009.0.i586.rpm 54418f3845f324c46862d070f7d003d5 2009.0/i586/pidgin-bonjour-2.10.0-0.1mdv2009.0.i586.rpm f44a27aa04c704e4f194117636d83ed7 2009.0/i586/pidgin-client-2.10.0-0.1mdv2009.0.i586.rpm 1aafb8808069d2d2fb2625b10c76e7fb 2009.0/i586/pidgin-gevolution-2.10.0-0.1mdv2009.0.i586.rpm 52027036563b73dd5eb8eacfa3ceffd0 2009.0/i586/pidgin-i18n-2.10.0-0.1mdv2009.0.i586.rpm a5992cae2ba908cd1800dff218076838 2009.0/i586/pidgin-meanwhile-2.10.0-0.1mdv2009.0.i586.rpm 2cd0288083dcb742e7dabdc46e7cc854 2009.0/i586/pidgin-perl-2.10.0-0.1mdv2009.0.i586.rpm 43ce83b4706b90d5025f4f55c83f1e0b 2009.0/i586/pidgin-plugins-2.10.0-0.1mdv2009.0.i586.rpm 35b1cd147e3e1836ea7f7b75ab70c531 2009.0/i586/pidgin-silc-2.10.0-0.1mdv2009.0.i586.rpm ae8ba0b0dc82d9deff4ef3bb88a4076d 2009.0/i586/pidgin-tcl-2.10.0-0.1mdv2009.0.i586.rpm 62f6a69270844338264edd3fbaa51e75 2009.0/SRPMS/pidgin-2.10.0-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: b119fdb620e35194b3c94e5f486feff3 2009.0/x86_64/finch-2.10.0-0.1mdv2009.0.x86_64.rpm 748d4cd30f8c1b9a83e1759a6a522568 2009.0/x86_64/lib64finch0-2.10.0-0.1mdv2009.0.x86_64.rpm f809eae51ca1dcb9d9298db5edd03b49 2009.0/x86_64/lib64purple0-2.10.0-0.1mdv2009.0.x86_64.rpm 4779a76e384c0f80a39a86b34c59ad1b 2009.0/x86_64/lib64purple-devel-2.10.0-0.1mdv2009.0.x86_64.rpm 05b1274031920567e741278b527e8c62 2009.0/x86_64/pidgin-2.10.0-0.1mdv2009.0.x86_64.rpm 2847f0c347adaa594df6b6ad7675e600 2009.0/x86_64/pidgin-bonjour-2.10.0-0.1mdv2009.0.x86_64.rpm a3c16b86b4060d62288a20485d53b333 2009.0/x86_64/pidgin-client-2.10.0-0.1mdv2009.0.x86_64.rpm 6ba1fd63f59ac46016641585282af002 2009.0/x86_64/pidgin-gevolution-2.10.0-0.1mdv2009.0.x86_64.rpm 8dfe86bf046bae759a82701cf115d06d 2009.0/x86_64/pidgin-i18n-2.10.0-0.1mdv2009.0.x86_64.rpm 34c0c000fd2adce18ae980bd1de89f81 2009.0/x86_64/pidgin-meanwhile-2.10.0-0.1mdv2009.0.x86_64.rpm 75289966638d58d9b4aec8c5dfe64245 2009.0/x86_64/pidgin-perl-2.10.0-0.1mdv2009.0.x86_64.rpm c5cecff86e10fa7b2802fef7f0d9d315 2009.0/x86_64/pidgin-plugins-2.10.0-0.1mdv2009.0.x86_64.rpm 1642cc9818fed7cdfb9f673d5eab4302 2009.0/x86_64/pidgin-silc-2.10.0-0.1mdv2009.0.x86_64.rpm 0967d7160e6e972b3f918363ffc3f261 2009.0/x86_64/pidgin-tcl-2.10.0-0.1mdv2009.0.x86_64.rpm 62f6a69270844338264edd3fbaa51e75 2009.0/SRPMS/pidgin-2.10.0-0.1mdv2009.0.src.rpm Mandriva Linux 2010.1: ca84191afa89f8b24f415f7f81a64ab6 2010.1/i586/finch-2.10.0-0.1mdv2010.2.i586.rpm 2f15a306d87d7e24f58038bed15f97d8 2010.1/i586/libfinch0-2.10.0-0.1mdv2010.2.i586.rpm 8c909ad5f9a5bf64a9130c374b1f490b 2010.1/i586/libpurple0-2.10.0-0.1mdv2010.2.i586.rpm f6768847952d2a37a93dc34af62dd318 2010.1/i586/libpurple-devel-2.10.0-0.1mdv2010.2.i586.rpm fb19371071adf5c8db9a2e3b9ba56e47 2010.1/i586/pidgin-2.10.0-0.1mdv2010.2.i586.rpm 5a7ac9a7e95c7f56ed50926b26c1c859 2010.1/i586/pidgin-bonjour-2.10.0-0.1mdv2010.2.i586.rpm 925c7a754960586a47765a74df57bd80 2010.1/i586/pidgin-client-2.10.0-0.1mdv2010.2.i586.rpm c88f5b5d394805a768313dd7776fb246 2010.1/i586/pidgin-gevolution-2.10.0-0.1mdv2010.2.i586.rpm 36a9d24e1680f3217c146cfeba1c416e 2010.1/i586/pidgin-i18n-2.10.0-0.1mdv2010.2.i586.rpm 1c9c5ec91da6e4f31bb1beee04739ad0 2010.1/i586/pidgin-meanwhile-2.10.0-0.1mdv2010.2.i586.rpm 30d630a21e4b600bb75882db455b58a9 2010.1/i586/pidgin-perl-2.10.0-0.1mdv2010.2.i586.rpm b2f7653d2fcc2bd634ae553b9076c539 2010.1/i586/pidgin-plugins-2.10.0-0.1mdv2010.2.i586.rpm a0bbe6b50d49176d6e4654f2afa64b5c 2010.1/i586/pidgin-silc-2.10.0-0.1mdv2010.2.i586.rpm f858526c3c2149d6f061e2d7516ebd7a 2010.1/i586/pidgin-tcl-2.10.0-0.1mdv2010.2.i586.rpm c54333d814cbc0dc6dec1404ea0ef26d 2010.1/SRPMS/pidgin-2.10.0-0.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 0c3cc73ffedf8baf501591e26bd609fb 2010.1/x86_64/finch-2.10.0-0.1mdv2010.2.x86_64.rpm f60127e02a45c13e054cfb77bb2e9a73 2010.1/x86_64/lib64finch0-2.10.0-0.1mdv2010.2.x86_64.rpm 44c1f25023dda0214fce9a136792b32b 2010.1/x86_64/lib64purple0-2.10.0-0.1mdv2010.2.x86_64.rpm 1a9f994c876a0fe8c1817c5af97b525c 2010.1/x86_64/lib64purple-devel-2.10.0-0.1mdv2010.2.x86_64.rpm 472f8dbbf8144b3088cb4e0104161042 2010.1/x86_64/pidgin-2.10.0-0.1mdv2010.2.x86_64.rpm fb3a84803c16ac3715159a716e3bb997 2010.1/x86_64/pidgin-bonjour-2.10.0-0.1mdv2010.2.x86_64.rpm 0dbc18bc4e673b591214ae2b62d2d5b9 2010.1/x86_64/pidgin-client-2.10.0-0.1mdv2010.2.x86_64.rpm 4f8dbad90a05fb09e87b30dece3a6f68 2010.1/x86_64/pidgin-gevolution-2.10.0-0.1mdv2010.2.x86_64.rpm c08b726ba2d51eeaefad93ac05d2f009 2010.1/x86_64/pidgin-i18n-2.10.0-0.1mdv2010.2.x86_64.rpm ea3ab9b7f0642ace5ba158fd3562175a 2010.1/x86_64/pidgin-meanwhile-2.10.0-0.1mdv2010.2.x86_64.rpm cbfed1299c442d104e02dcdeb74cc425 2010.1/x86_64/pidgin-perl-2.10.0-0.1mdv2010.2.x86_64.rpm 5237a1adb911a6311d16762ba26e0138 2010.1/x86_64/pidgin-plugins-2.10.0-0.1mdv2010.2.x86_64.rpm 04ce4f97362aa093e160c17d11a5c849 2010.1/x86_64/pidgin-silc-2.10.0-0.1mdv2010.2.x86_64.rpm 3a0117e5d400f48d5c345b61763695b7 2010.1/x86_64/pidgin-tcl-2.10.0-0.1mdv2010.2.x86_64.rpm c54333d814cbc0dc6dec1404ea0ef26d 2010.1/SRPMS/pidgin-2.10.0-0.1mdv2010.2.src.rpm Mandriva Enterprise Server 5: 560cfb4e6367c7cde341fe4fb553e8e7 mes5/i586/finch-2.10.0-0.1mdvmes5.2.i586.rpm a252b2a98f7b27d29ef2d64c48f32382 mes5/i586/libfinch0-2.10.0-0.1mdvmes5.2.i586.rpm f5da58f2499ef035cfcdef55db150cd5 mes5/i586/libpurple0-2.10.0-0.1mdvmes5.2.i586.rpm 477b45d5d1e29cf1daeafc741f776ee2 mes5/i586/libpurple-devel-2.10.0-0.1mdvmes5.2.i586.rpm 90e878420f4722ded1fc583a0309a7a7 mes5/i586/pidgin-2.10.0-0.1mdvmes5.2.i586.rpm 5044a66d07807dd0ebc9be40e51356db mes5/i586/pidgin-bonjour-2.10.0-0.1mdvmes5.2.i586.rpm f3a96a6bab53d33f13c0816053d1bcae mes5/i586/pidgin-client-2.10.0-0.1mdvmes5.2.i586.rpm 89dcd52af23ca809a40faf224b3386f9 mes5/i586/pidgin-gevolution-2.10.0-0.1mdvmes5.2.i586.rpm b921effa92a0cbf04c458ca42eedacae mes5/i586/pidgin-i18n-2.10.0-0.1mdvmes5.2.i586.rpm ec3ea33d910ca0fe1df25a8d86961711 mes5/i586/pidgin-meanwhile-2.10.0-0.1mdvmes5.2.i586.rpm 29560febf21a5b879abc3ff6cf5a2ec2 mes5/i586/pidgin-perl-2.10.0-0.1mdvmes5.2.i586.rpm 307272b8a42864614bdabc66a7088317 mes5/i586/pidgin-plugins-2.10.0-0.1mdvmes5.2.i586.rpm 2995b52999d3701a2727ccce72adfc88 mes5/i586/pidgin-silc-2.10.0-0.1mdvmes5.2.i586.rpm 61be5df3ae9920cb3a3d4ea529d86c81 mes5/i586/pidgin-tcl-2.10.0-0.1mdvmes5.2.i586.rpm 1a76e2f620abd0a8626d67dd195cc843 mes5/SRPMS/pidgin-2.10.0-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 03d6a48bda57e441c03aa64853bb3c91 mes5/x86_64/finch-2.10.0-0.1mdvmes5.2.x86_64.rpm f57761597893028206d030914d8239df mes5/x86_64/lib64finch0-2.10.0-0.1mdvmes5.2.x86_64.rpm c6067ee33650cb39e9e364a7e8cf24a0 mes5/x86_64/lib64purple0-2.10.0-0.1mdvmes5.2.x86_64.rpm 3b7486d359849bf232738cf267a5bcdb mes5/x86_64/lib64purple-devel-2.10.0-0.1mdvmes5.2.x86_64.rpm d09dd18646e36ba8282cb0bdb77c840b mes5/x86_64/pidgin-2.10.0-0.1mdvmes5.2.x86_64.rpm 1084298aca301a9611165c62689ddbb8 mes5/x86_64/pidgin-bonjour-2.10.0-0.1mdvmes5.2.x86_64.rpm 864180f43280b806db65aba58e210e47 mes5/x86_64/pidgin-client-2.10.0-0.1mdvmes5.2.x86_64.rpm 94a9c4489303cfd67d399a86a664fa84 mes5/x86_64/pidgin-gevolution-2.10.0-0.1mdvmes5.2.x86_64.rpm c8ad57d2343c39457269842179d9bb18 mes5/x86_64/pidgin-i18n-2.10.0-0.1mdvmes5.2.x86_64.rpm 18c3f9c6bec24b93baec14d145347ec7 mes5/x86_64/pidgin-meanwhile-2.10.0-0.1mdvmes5.2.x86_64.rpm a2e414b2cf6fece827d6cf0a6b0b9c69 mes5/x86_64/pidgin-perl-2.10.0-0.1mdvmes5.2.x86_64.rpm 9202e11d7d72d0a4f4cc6158c8cab595 mes5/x86_64/pidgin-plugins-2.10.0-0.1mdvmes5.2.x86_64.rpm 0d4aa63adc9682a1937b1011497ed139 mes5/x86_64/pidgin-silc-2.10.0-0.1mdvmes5.2.x86_64.rpm 00cbc42f2d0d8e4fdaba8aa9c1684d16 mes5/x86_64/pidgin-tcl-2.10.0-0.1mdvmes5.2.x86_64.rpm 1a76e2f620abd0a8626d67dd195cc843 mes5/SRPMS/pidgin-2.10.0-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFOZffXmqjQ0CJFipgRArXIAKCEiI4fIqhEJvtg2C4FttJx+F1i+ACgvMfO BfSItMC3BXeRwWNlZKA6sqU= =EpoQ -----END PGP SIGNATURE-----