Synopsis: Moderate: pidgin security update Issue date: 2010-02-18 CVE Names: CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 CVE-2010-0277 pidgin MSN protocol plugin memory corruption CVE-2010-0420 pidgin: Finch XMPP MUC Crash CVE-2010-0423 pidgin: Smiley Denial of Service An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially-crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML "br" element, it would cause Finch to crash. (CVE-2010-0420) A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) Pidgin must be restarted for this update to take effect. SL 4.x SRPMS: pidgin-2.6.6-1.el4.src.rpm i386: finch-2.6.6-1.el4.i386.rpm finch-devel-2.6.6-1.el4.i386.rpm libpurple-2.6.6-1.el4.i386.rpm libpurple-devel-2.6.6-1.el4.i386.rpm libpurple-perl-2.6.6-1.el4.i386.rpm libpurple-tcl-2.6.6-1.el4.i386.rpm pidgin-2.6.6-1.el4.i386.rpm pidgin-devel-2.6.6-1.el4.i386.rpm pidgin-perl-2.6.6-1.el4.i386.rpm x86_64: finch-2.6.6-1.el4.x86_64.rpm finch-devel-2.6.6-1.el4.x86_64.rpm libpurple-2.6.6-1.el4.x86_64.rpm libpurple-devel-2.6.6-1.el4.x86_64.rpm libpurple-perl-2.6.6-1.el4.x86_64.rpm libpurple-tcl-2.6.6-1.el4.x86_64.rpm pidgin-2.6.6-1.el4.x86_64.rpm pidgin-devel-2.6.6-1.el4.x86_64.rpm pidgin-perl-2.6.6-1.el4.x86_64.rpm SL 5.x SRPMS: pidgin-2.6.6-1.el5.src.rpm i386: finch-2.6.6-1.el5.i386.rpm finch-devel-2.6.6-1.el5.i386.rpm libpurple-2.6.6-1.el5.i386.rpm libpurple-devel-2.6.6-1.el5.i386.rpm libpurple-perl-2.6.6-1.el5.i386.rpm libpurple-tcl-2.6.6-1.el5.i386.rpm pidgin-2.6.6-1.el5.i386.rpm pidgin-devel-2.6.6-1.el5.i386.rpm pidgin-perl-2.6.6-1.el5.i386.rpm x86_64: finch-2.6.6-1.el5.i386.rpm finch-2.6.6-1.el5.x86_64.rpm finch-devel-2.6.6-1.el5.i386.rpm finch-devel-2.6.6-1.el5.x86_64.rpm libpurple-2.6.6-1.el5.i386.rpm libpurple-2.6.6-1.el5.x86_64.rpm libpurple-devel-2.6.6-1.el5.i386.rpm libpurple-devel-2.6.6-1.el5.x86_64.rpm libpurple-perl-2.6.6-1.el5.x86_64.rpm libpurple-tcl-2.6.6-1.el5.x86_64.rpm pidgin-2.6.6-1.el5.i386.rpm pidgin-2.6.6-1.el5.x86_64.rpm pidgin-devel-2.6.6-1.el5.i386.rpm pidgin-devel-2.6.6-1.el5.x86_64.rpm pidgin-perl-2.6.6-1.el5.x86_64.rpm -Connie Sieh -Troy Dawson