SCIENTIFIC-LINUX-ERRATA Archives

May 2009

SCIENTIFIC-LINUX-ERRATA@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security ERRATA Important: pidgin on SL3.x, SL4.x, SL5.x i386/x86_64
From:
Troy Dawson <[log in to unmask]>
Reply To:
Troy Dawson <[log in to unmask]>
Date:
Mon, 25 May 2009 10:46:53 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (101 lines) 
Synopsis:	Important: pidgin security update
Issue date:	2009-05-22
CVE Names:	CVE-2009-1373 CVE-2009-1374 CVE-2009-1375
                   CVE-2009-1376

A buffer overflow flaw was found in the way Pidgin initiates file 
transfers when using the Extensible Messaging and Presence Protocol 
(XMPP). If a Pidgin client initiates a file transfer, and the remote 
target sends a malformed response, it could cause Pidgin to crash or, 
potentially, execute arbitrary code with the permissions of the user 
running Pidgin. This flaw only affects accounts using XMPP, such as 
Jabber and Google Talk. (CVE-2009-1373)

A denial of service flaw was found in Pidgin's QQ protocol decryption
handler. When the QQ protocol decrypts packet information, heap data can 
be overwritten, possibly causing Pidgin to crash. (CVE-2009-1374)

A flaw was found in the way Pidgin's PurpleCircBuffer object is 
expanded. If the buffer is full when more data arrives, the data stored 
in this buffer becomes corrupted. This corrupted data could result in 
confusing or misleading data being presented to the user, or possibly 
crash Pidgin. (CVE-2009-1375)

If a Pidgin client receives a specially-crafted MSN message, it may be 
possible to execute arbitrary code with the permissions of the user 
running Pidgin. (CVE-2009-1376)

Note: By default, when using an MSN account, only users on your buddy 
list can send you messages. This prevents arbitrary MSN users from 
exploiting this flaw.

Pidgin must be restarted for this update to take effect.

SL 3.0.x

       SRPMS:
pidgin-1.5.1-3.el3.src.rpm
       i386:
pidgin-1.5.1-3.el3.i386.rpm
       x86_64:
pidgin-1.5.1-3.el3.x86_64.rpm

SL 4.x

       SRPMS:
pidgin-2.5.5-2.el4.src.rpm
       i386:
finch-2.5.5-2.el4.i386.rpm
finch-devel-2.5.5-2.el4.i386.rpm
libpurple-2.5.5-2.el4.i386.rpm
libpurple-devel-2.5.5-2.el4.i386.rpm
libpurple-perl-2.5.5-2.el4.i386.rpm
libpurple-tcl-2.5.5-2.el4.i386.rpm
pidgin-2.5.5-2.el4.i386.rpm
pidgin-devel-2.5.5-2.el4.i386.rpm
pidgin-perl-2.5.5-2.el4.i386.rpm
       x86_64:
finch-2.5.5-2.el4.i386.rpm
finch-devel-2.5.5-2.el4.i386.rpm
libpurple-2.5.5-2.el4.i386.rpm
libpurple-devel-2.5.5-2.el4.i386.rpm
libpurple-perl-2.5.5-2.el4.i386.rpm
libpurple-tcl-2.5.5-2.el4.i386.rpm
pidgin-2.5.5-2.el4.i386.rpm
pidgin-devel-2.5.5-2.el4.i386.rpm
pidgin-perl-2.5.5-2.el4.i386.rpm

SL 5.x

       SRPMS:
pidgin-2.5.5-3.el5.src.rpm
       i386:
finch-2.5.5-3.el5.i386.rpm
finch-devel-2.5.5-3.el5.i386.rpm
libpurple-2.5.5-3.el5.i386.rpm
libpurple-devel-2.5.5-3.el5.i386.rpm
libpurple-perl-2.5.5-3.el5.i386.rpm
libpurple-tcl-2.5.5-3.el5.i386.rpm
pidgin-2.5.5-3.el5.i386.rpm
pidgin-devel-2.5.5-3.el5.i386.rpm
pidgin-perl-2.5.5-3.el5.i386.rpm
       x86_64:
finch-2.5.5-3.el5.i386.rpm
finch-2.5.5-3.el5.x86_64.rpm
finch-devel-2.5.5-3.el5.i386.rpm
finch-devel-2.5.5-3.el5.x86_64.rpm
libpurple-2.5.5-3.el5.i386.rpm
libpurple-2.5.5-3.el5.x86_64.rpm
libpurple-devel-2.5.5-3.el5.i386.rpm
libpurple-devel-2.5.5-3.el5.x86_64.rpm
libpurple-perl-2.5.5-3.el5.x86_64.rpm
libpurple-tcl-2.5.5-3.el5.x86_64.rpm
pidgin-2.5.5-3.el5.i386.rpm
pidgin-2.5.5-3.el5.x86_64.rpm
pidgin-devel-2.5.5-3.el5.i386.rpm
pidgin-devel-2.5.5-3.el5.x86_64.rpm
pidgin-perl-2.5.5-3.el5.x86_64.rpm

-Connie Sieh
-Troy Dawson

ATOM RSS1 RSS2