Full Disclosure mailing list archives
[ GLSA 200901-13 ] Pidgin: Multiple vulnerabilities
From: Pierre-Yves Rofes <py () gentoo org>
Date: Tue, 20 Jan 2009 23:01:50 +0100
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200901-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Pidgin: Multiple vulnerabilities
Date: January 20, 2009
Bugs: #230045, #234135
ID: 200901-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been discovered in Pidgin, allowing for
remote arbitrary code execution, Denial of Service and service
spoofing.
Background
==========
Pidgin (formerly Gaim) is an instant messaging client for a variety of
instant messaging protocols. It is based on the libpurple instant
messaging library.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-im/pidgin < 2.5.1 >= 2.5.1
Description
===========
Multiple vulnerabilities have been discovered in Pidgin and the
libpurple library:
* A participant to the TippingPoint ZDI reported multiple integer
overflows in the msn_slplink_process_msg() function in the MSN
protocol implementation (CVE-2008-2927).
* Juan Pablo Lopez Yacubian is credited for reporting a
use-after-free flaw in msn_slplink_process_msg() in the MSN protocol
implementation (CVE-2008-2955).
* The included UPnP server does not limit the size of data to be
downloaded for UPnP service discovery, according to a report by
Andrew Hunt and Christian Grothoff (CVE-2008-2957).
* Josh Triplett discovered that the NSS plugin for libpurple does not
properly verify SSL certificates (CVE-2008-3532).
Impact
======
A remote attacker could send specially crafted messages or files using
the MSN protocol which could result in the execution of arbitrary code
or crash Pidgin. NOTE: Successful exploitation might require the
victim's interaction. Furthermore, an attacker could conduct
man-in-the-middle attacks to obtain sensitive information using bad
certificates and cause memory and disk resources to exhaust.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Pidgin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.1"
References
==========
[ 1 ] CVE-2008-2927
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927
[ 2 ] CVE-2008-2955
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955
[ 3 ] CVE-2008-2957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957
[ 4 ] CVE-2008-3532
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200901-13.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [ GLSA 200901-13 ] Pidgin: Multiple vulnerabilities Pierre-Yves Rofes (Jan 20)