-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:321 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pidgin Date : December 6, 2009 Affected: 2008.0 _______________________________________________________________________ Problem Description: Security vulnerabilities has been identified and fixed in pidgin: The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service. (CVE-2008-3532) Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. (CVE-2008-2955) The UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL. (CVE-2008-2957) Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (formerly Gaim) before 2.5.6 allows remote authenticated users to execute arbitrary code via vectors involving an outbound XMPP file transfer. NOTE: some of these details are obtained from third party information (CVE-2009-1373). Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim) before 2.5.6 allows remote attackers to cause a denial of service (application crash) via a QQ packet (CVE-2009-1374). The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2.5.6 does not properly maintain a certain buffer, which allows remote attackers to cause a denial of service (memory corruption and application crash) via vectors involving the (1) XMPP or (2) Sametime protocol (CVE-2009-1375). Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927 (CVE-2009-1376). The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets the ICQWebMessage message type as the ICQSMS message type, which allows remote attackers to cause a denial of service (application crash) via a crafted ICQ web message that triggers allocation of a large amount of memory (CVE-2009-1889). The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376 (CVE-2009-2694). Unspecified vulnerability in Pidgin 2.6.0 allows remote attackers to cause a denial of service (crash) via a link in a Yahoo IM (CVE-2009-3025) protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the require TLS/SSL preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions (CVE-2009-3026). libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple in Pidgin before 2.6.2 allows remote IRC servers to cause a denial of service (NULL pointer dereference and application crash) via a TOPIC message that lacks a topic string (CVE-2009-2703). The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an SLP invite message that lacks certain required fields, as demonstrated by a malformed message from a KMess client (CVE-2009-3083). The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c in the MSN protocol plugin in libpurple 2.6.0 and 2.6.1, as used in Pidgin before 2.6.2, allows remote attackers to cause a denial of service (application crash) via a handwritten (aka Ink) message, related to an uninitialized variable and the incorrect UTF16-LE charset name (CVE-2009-3084). The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not properly handle an error IQ stanza during an attempted fetch of a custom smiley, which allows remote attackers to cause a denial of service (application crash) via XHTML-IM content with cid: images (CVE-2009-3085). This update provides pidgin 2.6.2, which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1889 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2703 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3025 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3026 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3085 http://pidgin.im/news/security/ _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: e689b143ca593c49c1954a42f351dec1 2008.0/i586/finch-2.6.2-0.1mdv2008.0.i586.rpm 3d5f88bb7cd0b3e5596e02760c182169 2008.0/i586/libfinch0-2.6.2-0.1mdv2008.0.i586.rpm 8e55d77f7cb8c6907739a38b49e9b2a4 2008.0/i586/libpurple0-2.6.2-0.1mdv2008.0.i586.rpm d2419f4c7ae2e8f3b7ef0d971db1aa9e 2008.0/i586/libpurple-devel-2.6.2-0.1mdv2008.0.i586.rpm 1f0b2327e8d8585e1628e95fb95b8f1f 2008.0/i586/pidgin-2.6.2-0.1mdv2008.0.i586.rpm f5d4a2f7ee6257de2051419a2ef74170 2008.0/i586/pidgin-bonjour-2.6.2-0.1mdv2008.0.i586.rpm 7685fcc80fbd3fabe86ce3d5f05b5cdb 2008.0/i586/pidgin-client-2.6.2-0.1mdv2008.0.i586.rpm e8b7bcc521d6300673a242866938b002 2008.0/i586/pidgin-gevolution-2.6.2-0.1mdv2008.0.i586.rpm e2c88e96a1c0cee77fc70508ccd2c70b 2008.0/i586/pidgin-i18n-2.6.2-0.1mdv2008.0.i586.rpm c30173a970503943343566d4f2cf301e 2008.0/i586/pidgin-meanwhile-2.6.2-0.1mdv2008.0.i586.rpm baeb7aa1acbaead9894b91a0aecc08de 2008.0/i586/pidgin-mono-2.6.2-0.1mdv2008.0.i586.rpm b25cf481dccfa9ca7d80fb1467d2660e 2008.0/i586/pidgin-perl-2.6.2-0.1mdv2008.0.i586.rpm dd7cf20fc74574228f31041d35e1ab66 2008.0/i586/pidgin-plugins-2.6.2-0.1mdv2008.0.i586.rpm b767e2f9176a5d019e33f4b5c67d70c8 2008.0/i586/pidgin-silc-2.6.2-0.1mdv2008.0.i586.rpm 73f3f1b07a4fec717156bdd570c08218 2008.0/i586/pidgin-tcl-2.6.2-0.1mdv2008.0.i586.rpm 31343284647509cf77b6a238ae71573f 2008.0/SRPMS/pidgin-2.6.2-0.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 1466474428fcfbe6c9cc915230644c81 2008.0/x86_64/finch-2.6.2-0.1mdv2008.0.x86_64.rpm 9e5dcbf4a1c6fef3c2b2a18959af98bf 2008.0/x86_64/lib64finch0-2.6.2-0.1mdv2008.0.x86_64.rpm bce8e0800fb41de6384a1e71b6777d3a 2008.0/x86_64/lib64purple0-2.6.2-0.1mdv2008.0.x86_64.rpm fe365356c28c3f4e9f1581f2e34d6c4a 2008.0/x86_64/lib64purple-devel-2.6.2-0.1mdv2008.0.x86_64.rpm 41023f5c93b3984fb02838f153f80d27 2008.0/x86_64/pidgin-2.6.2-0.1mdv2008.0.x86_64.rpm 40b4fa6b0e304dbe08b8088c2b601c2d 2008.0/x86_64/pidgin-bonjour-2.6.2-0.1mdv2008.0.x86_64.rpm dfa9b041ebac164400edc4ce77a9055b 2008.0/x86_64/pidgin-client-2.6.2-0.1mdv2008.0.x86_64.rpm 33a1243f7481cdde117ab1c5e77933e4 2008.0/x86_64/pidgin-gevolution-2.6.2-0.1mdv2008.0.x86_64.rpm baf2e28e00335329637224b34f3b10f2 2008.0/x86_64/pidgin-i18n-2.6.2-0.1mdv2008.0.x86_64.rpm fbec0ef4148efcc7903841acb4262a7d 2008.0/x86_64/pidgin-meanwhile-2.6.2-0.1mdv2008.0.x86_64.rpm 007d6ceb35a1876146d6a080d701e2cc 2008.0/x86_64/pidgin-mono-2.6.2-0.1mdv2008.0.x86_64.rpm daa1bb586b4f8af231f3fbbedbdc67cb 2008.0/x86_64/pidgin-perl-2.6.2-0.1mdv2008.0.x86_64.rpm a17b42e7d8909f64849aa2dbfddff5b3 2008.0/x86_64/pidgin-plugins-2.6.2-0.1mdv2008.0.x86_64.rpm b71b668bfda4e72efa4046faadeb6514 2008.0/x86_64/pidgin-silc-2.6.2-0.1mdv2008.0.x86_64.rpm 92fa40d38b6c7db8217deb2465c33eb9 2008.0/x86_64/pidgin-tcl-2.6.2-0.1mdv2008.0.x86_64.rpm 31343284647509cf77b6a238ae71573f 2008.0/SRPMS/pidgin-2.6.2-0.1mdv2008.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLG9uPmqjQ0CJFipgRAsjpAKCWZGoH1uv7zx1DI3nnvsVbsWFCmgCfVetE sDGPDAQxob7ySZ6AV6S2E2c= =f2+x -----END PGP SIGNATURE-----