Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200901-13 ] Pidgin: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Veteran
Veteran


Joined: 12 May 2004
Posts: 1655

PostPosted: Tue Jan 20, 2009 10:26 pm    Post subject: [ GLSA 200901-13 ] Pidgin: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: Pidgin: Multiple vulnerabilities (GLSA 200901-13)
Severity: normal
Exploitable: remote
Date: January 20, 2009
Bug(s): #230045, #234135
ID: 200901-13

Synopsis


Multiple vulnerabilities have been discovered in Pidgin, allowing for
remote arbitrary code execution, Denial of Service and service spoofing.


Background


Pidgin (formerly Gaim) is an instant messaging client for a variety of
instant messaging protocols. It is based on the libpurple instant
messaging library.


Affected Packages

Package: net-im/pidgin
Vulnerable: < 2.5.1
Unaffected: >= 2.5.1
Architectures: All supported architectures


Description


Multiple vulnerabilities have been discovered in Pidgin and the
libpurple library:

  • A participant to the TippingPoint ZDI reported multiple integer
    overflows in the msn_slplink_process_msg() function in the MSN protocol
    implementation (CVE-2008-2927).

  • Juan Pablo Lopez Yacubian is credited for reporting a use-after-free
    flaw in msn_slplink_process_msg() in the MSN protocol implementation
    (CVE-2008-2955).

  • The included UPnP server does not limit the size of data to be
    downloaded for UPnP service discovery, according to a report by Andrew
    Hunt and Christian Grothoff (CVE-2008-2957).

  • Josh Triplett discovered that the NSS plugin for libpurple does not
    properly verify SSL certificates (CVE-2008-3532).


Impact


A remote attacker could send specially crafted messages or files using
the MSN protocol which could result in the execution of arbitrary code
or crash Pidgin. NOTE: Successful exploitation might require the
victim's interaction. Furthermore, an attacker could conduct
man-in-the-middle attacks to obtain sensitive information using bad
certificates and cause memory and disk resources to exhaust.


Workaround


There is no known workaround at this time.


Resolution


All Pidgin users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.1"


References

CVE-2008-2927
CVE-2008-2955
CVE-2008-2957
CVE-2008-3532


Last edited by GLSA on Mon Feb 02, 2015 4:27 am; edited 2 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum