-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:002 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pidgin Date : January 11, 2010 Affected: 2010.0 _______________________________________________________________________ Problem Description: A security vulnerability has been identified and fixed in pidgin: Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). This update provides pidgin 2.6.5, which is not vulnerable to this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013 http://pidgin.im/news/security/ _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.0: 0b141dc591a1677affc824e714c0bfa5 2010.0/i586/finch-2.6.5-0.1mdv2010.0.i586.rpm 3d851548d89644efdfb701ba90c468da 2010.0/i586/libfinch0-2.6.5-0.1mdv2010.0.i586.rpm 91a4b9783856ae2565c2cd3a9b27ebb6 2010.0/i586/libpurple0-2.6.5-0.1mdv2010.0.i586.rpm a0c9e1a42b96b117822968b581869513 2010.0/i586/libpurple-devel-2.6.5-0.1mdv2010.0.i586.rpm ec2f185f4aaf4a83fdd95d1ee5023c4c 2010.0/i586/pidgin-2.6.5-0.1mdv2010.0.i586.rpm aefdd5492a98e1823ba0c7286b3558b9 2010.0/i586/pidgin-bonjour-2.6.5-0.1mdv2010.0.i586.rpm 92599926774c68178a399e8e6b680029 2010.0/i586/pidgin-client-2.6.5-0.1mdv2010.0.i586.rpm 1d213714f4d9da85fd0bac7e793aa0d5 2010.0/i586/pidgin-gevolution-2.6.5-0.1mdv2010.0.i586.rpm a1e458dcd2c10987934208d9a18cd2b5 2010.0/i586/pidgin-i18n-2.6.5-0.1mdv2010.0.i586.rpm afc26ed9b344e3d4317fd7e32b88fa88 2010.0/i586/pidgin-meanwhile-2.6.5-0.1mdv2010.0.i586.rpm 3233cfec46020dbff5ef6f6fa4a4025e 2010.0/i586/pidgin-mono-2.6.5-0.1mdv2010.0.i586.rpm 48a5641b1104620aba0e2cbfa65a101f 2010.0/i586/pidgin-perl-2.6.5-0.1mdv2010.0.i586.rpm 44461abfbd8bc983a1e440a331ddc823 2010.0/i586/pidgin-plugins-2.6.5-0.1mdv2010.0.i586.rpm 80e0cedd0d60fe626dc5253db502e1bd 2010.0/i586/pidgin-silc-2.6.5-0.1mdv2010.0.i586.rpm 531a6537d9bf005ee54aece14aa48eb6 2010.0/i586/pidgin-tcl-2.6.5-0.1mdv2010.0.i586.rpm 83d0f2b5bb31e313c53c4d40ca8fe1da 2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm Mandriva Linux 2010.0/X86_64: e27d2817c814cf90bad7e205081402a2 2010.0/x86_64/finch-2.6.5-0.1mdv2010.0.x86_64.rpm 611f230ca512ad0db64acc14ef06e148 2010.0/x86_64/lib64finch0-2.6.5-0.1mdv2010.0.x86_64.rpm 8ae845e339ca97ebdd7f302eac3e5899 2010.0/x86_64/lib64purple0-2.6.5-0.1mdv2010.0.x86_64.rpm 525a83c8cb39f1b8a5c54d1ee91d5e49 2010.0/x86_64/lib64purple-devel-2.6.5-0.1mdv2010.0.x86_64.rpm 2ef31af24eb8a4c2706e67f941ad9fa3 2010.0/x86_64/pidgin-2.6.5-0.1mdv2010.0.x86_64.rpm f8d2d37e7e9f070ec94339c2a3b6b8f0 2010.0/x86_64/pidgin-bonjour-2.6.5-0.1mdv2010.0.x86_64.rpm 45038a16defd0813f381fea1b184697a 2010.0/x86_64/pidgin-client-2.6.5-0.1mdv2010.0.x86_64.rpm 9f48d1a4af0d24195610a0392f721acb 2010.0/x86_64/pidgin-gevolution-2.6.5-0.1mdv2010.0.x86_64.rpm 6c7d1fcb4f0ba1a1b32d04ecaf51ce59 2010.0/x86_64/pidgin-i18n-2.6.5-0.1mdv2010.0.x86_64.rpm 7efbc4ca6f8028476e6a842238d5e19c 2010.0/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2010.0.x86_64.rpm 58f135d340961f21b7b7a37931c7bf1d 2010.0/x86_64/pidgin-mono-2.6.5-0.1mdv2010.0.x86_64.rpm 798c84ae196fdedbeddb8d71374ce063 2010.0/x86_64/pidgin-perl-2.6.5-0.1mdv2010.0.x86_64.rpm 507b908bb81dc61cd633fccea1023314 2010.0/x86_64/pidgin-plugins-2.6.5-0.1mdv2010.0.x86_64.rpm 48518b319bc1c5a5a452be9ceb522763 2010.0/x86_64/pidgin-silc-2.6.5-0.1mdv2010.0.x86_64.rpm b38b6ee90af7cee2298ba8f191b7fcc6 2010.0/x86_64/pidgin-tcl-2.6.5-0.1mdv2010.0.x86_64.rpm 83d0f2b5bb31e313c53c4d40ca8fe1da 2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFLS6HImqjQ0CJFipgRAtFeAKDDgB5ajBW96Sv5YBFoCprgN7m57gCbBWjf aW7W6V/HuduwIHmOC3pXQhA= =uVD5 -----END PGP SIGNATURE-----