-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:132-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pidgin Date : September 17, 2011 Affected: 2011. _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been identified and fixed in pidgin: It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Using this structure, possibly containing a huge width and height, could lead to the application being terminated due to excessive memory use (CVE-2011-2485). Certain characters in the nicknames of IRC users can trigger a null pointer dereference in the IRC protocol plugin's handling of responses to WHO requests. This can cause a crash on some operating systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected (CVE-2011-2943). Incorrect handling of HTTP 100 responses in the MSN protocol plugin can cause the application to attempt to access memory that it does not have access to. This only affects users who have turned on the HTTP connection method for their accounts (it's off by default). This might only be triggerable by a malicious server and not a malicious peer. We believe remote code execution is not possible (CVE-2011-3184). This update provides pidgin 2.10.0, which is not vulnerable to these issues. Update: Packages for Mandriva Linux 2011 is now being provided as well. Enjoy! _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184 http://pidgin.im/news/security/ _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: f30d9eb8784ecc490e9267a3afd9681d 2011/i586/finch-2.10.0-0.1-mdv2011.0.i586.rpm c3cef6e7db660c78a52241d427fe67c6 2011/i586/libfinch0-2.10.0-0.1-mdv2011.0.i586.rpm b1bda00d68d706954d0a23ff13053bbe 2011/i586/libpurple0-2.10.0-0.1-mdv2011.0.i586.rpm b1e05edaa2a234697a8618da370a5eba 2011/i586/libpurple-devel-2.10.0-0.1-mdv2011.0.i586.rpm e8a6321eabf0e88b13a7121e06f88588 2011/i586/pidgin-2.10.0-0.1-mdv2011.0.i586.rpm df8b6157762c34972b26959e9e0b8670 2011/i586/pidgin-bonjour-2.10.0-0.1-mdv2011.0.i586.rpm 323307becdb33612085c108356de0fe0 2011/i586/pidgin-client-2.10.0-0.1-mdv2011.0.i586.rpm 4ff033d530ce6925dc5c3c9516f0f71e 2011/i586/pidgin-gevolution-2.10.0-0.1-mdv2011.0.i586.rpm e7282726de99c169675a927ee87e318d 2011/i586/pidgin-i18n-2.10.0-0.1-mdv2011.0.i586.rpm 5b0d0784b39a4fb7fb179e5083a4f0f6 2011/i586/pidgin-meanwhile-2.10.0-0.1-mdv2011.0.i586.rpm 0f3fbed0cdbb0cb9c0d8621d821d34c8 2011/i586/pidgin-perl-2.10.0-0.1-mdv2011.0.i586.rpm 9117f4f6cd51b274ebfe32b8df1355fb 2011/i586/pidgin-plugins-2.10.0-0.1-mdv2011.0.i586.rpm da47178daab129eac1b2d334330ebe9b 2011/i586/pidgin-silc-2.10.0-0.1-mdv2011.0.i586.rpm c694a44d5051390026fa75b7b71ad0a8 2011/i586/pidgin-tcl-2.10.0-0.1-mdv2011.0.i586.rpm c33eef6270b588ee33df4ddaa968eab3 2011/SRPMS/pidgin-2.10.0-0.1.src.rpm Mandriva Linux 2011/X86_64: 7cd751354229ed6dec93d7ec652758f7 2011/x86_64/finch-2.10.0-0.1-mdv2011.0.x86_64.rpm 14af8584523addd64e870ac6deb71bb6 2011/x86_64/lib64finch0-2.10.0-0.1-mdv2011.0.x86_64.rpm fb55c6c1c349145794147f4e5e855f63 2011/x86_64/lib64purple0-2.10.0-0.1-mdv2011.0.x86_64.rpm 676eea02b713243dd259edac8260eaaf 2011/x86_64/lib64purple-devel-2.10.0-0.1-mdv2011.0.x86_64.rpm de0cda6937539b552c605bb02547a606 2011/x86_64/pidgin-2.10.0-0.1-mdv2011.0.x86_64.rpm c50b5acc263a44cfcfde9aba892aefb8 2011/x86_64/pidgin-bonjour-2.10.0-0.1-mdv2011.0.x86_64.rpm 95445621358bebfe246778e3195bd496 2011/x86_64/pidgin-client-2.10.0-0.1-mdv2011.0.x86_64.rpm d32ef3d0c5f3e030dfe931cc11fcd0e5 2011/x86_64/pidgin-gevolution-2.10.0-0.1-mdv2011.0.x86_64.rpm 65ba1b2ee488d746fa45568d08f1ec6d 2011/x86_64/pidgin-i18n-2.10.0-0.1-mdv2011.0.x86_64.rpm 371e329ab6aa9f90131b37d971bb0520 2011/x86_64/pidgin-meanwhile-2.10.0-0.1-mdv2011.0.x86_64.rpm 2956fd8520f7a92cff7345d85b71f6a3 2011/x86_64/pidgin-perl-2.10.0-0.1-mdv2011.0.x86_64.rpm 11c8e87c57ecbee206b18e94dd2b0e7a 2011/x86_64/pidgin-plugins-2.10.0-0.1-mdv2011.0.x86_64.rpm e1bf5b177d8f0c2e2107702dc14d55e5 2011/x86_64/pidgin-silc-2.10.0-0.1-mdv2011.0.x86_64.rpm 79fbeed99bac330be3028501122997af 2011/x86_64/pidgin-tcl-2.10.0-0.1-mdv2011.0.x86_64.rpm c33eef6270b588ee33df4ddaa968eab3 2011/SRPMS/pidgin-2.10.0-0.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOdGhbmqjQ0CJFipgRAoq8AJ9Pbp2Bmq3TX9+DCZ1R6jYxA3E3wACgtpVd z6JYlgJxgBisXqUFlmviPkc= =wwem -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/