[gentoo-announce] [ GLSA 200901-13 ] Pidgin: Multiple vulnerabilities - gentoo-announce

From:	Pierre-Yves Rofes <py@g.o>
To:	gentoo-announce@l.g.o
Cc:	full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200901-13 ] Pidgin: Multiple vulnerabilities
Date:	Tue, 20 Jan 2009 22:02:24
Message-Id:	`497649CE.8030505@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200901-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Pidgin: Multiple vulnerabilities

9

      Date: January 20, 2009

10

      Bugs: #230045, #234135

11

        ID: 200901-13

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been discovered in Pidgin, allowing for

19

remote arbitrary code execution, Denial of Service and service

20

spoofing.

21

22

Background

23

==========

24

25

Pidgin (formerly Gaim) is an instant messaging client for a variety of

26

instant messaging protocols. It is based on the libpurple instant

27

messaging library.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package        /  Vulnerable  /                        Unaffected

34

    -------------------------------------------------------------------

35

  1  net-im/pidgin       < 2.5.1                              >= 2.5.1

36

37

Description

38

===========

39

40

Multiple vulnerabilities have been discovered in Pidgin and the

41

libpurple library:

42

43

* A participant to the TippingPoint ZDI reported multiple integer

44

  overflows in the msn_slplink_process_msg() function in the MSN

45

  protocol implementation (CVE-2008-2927).

46

47

* Juan Pablo Lopez Yacubian is credited for reporting a

48

  use-after-free flaw in msn_slplink_process_msg() in the MSN protocol

49

  implementation (CVE-2008-2955).

50

51

* The included UPnP server does not limit the size of data to be

52

  downloaded for UPnP service discovery, according to a report by

53

  Andrew Hunt and Christian Grothoff (CVE-2008-2957).

54

55

* Josh Triplett discovered that the NSS plugin for libpurple does not

56

  properly verify SSL certificates (CVE-2008-3532).

57

58

Impact

59

======

60

61

A remote attacker could send specially crafted messages or files using

62

the MSN protocol which could result in the execution of arbitrary code

63

or crash Pidgin. NOTE: Successful exploitation might require the

64

victim's interaction. Furthermore, an attacker could conduct

65

man-in-the-middle attacks to obtain sensitive information using bad

66

certificates and cause memory and disk resources to exhaust.

67

68

Workaround

69

==========

70

71

There is no known workaround at this time.

72

73

Resolution

74

==========

75

76

All Pidgin users should upgrade to the latest version:

77

78

    # emerge --sync

79

    # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.1"

80

81

References

82

==========

83

84

  [ 1 ] CVE-2008-2927

85

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927

86

  [ 2 ] CVE-2008-2955

87

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955

88

  [ 3 ] CVE-2008-2957

89

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957

90

  [ 4 ] CVE-2008-3532

91

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532

92

93

Availability

94

============

95

96

This GLSA and any updates to it are available for viewing at

97

the Gentoo Security Website:

98

99

  http://security.gentoo.org/glsa/glsa-200901-13.xml

100

101

Concerns?

102

=========

103

104

Security is a primary focus of Gentoo Linux and ensuring the

105

confidentiality and security of our users machines is of utmost

106

importance to us. Any security concerns should be addressed to

107

security@g.o or alternatively, you may file a bug at

108

http://bugs.gentoo.org.

109

110

License

111

=======

112

113

Copyright 2009 Gentoo Foundation, Inc; referenced text

114

belongs to its owner(s).

115

116

The contents of this document are licensed under the

117

Creative Commons - Attribution / Share Alike license.

118

119

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200901-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Pidgin: Multiple vulnerabilities
9	Date: January 20, 2009
10	Bugs: #230045, #234135
11	ID: 200901-13
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been discovered in Pidgin, allowing for
19	remote arbitrary code execution, Denial of Service and service
20	spoofing.
21
22	Background
23	==========
24
25	Pidgin (formerly Gaim) is an instant messaging client for a variety of
26	instant messaging protocols. It is based on the libpurple instant
27	messaging library.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 net-im/pidgin < 2.5.1 >= 2.5.1
36
37	Description
38	===========
39
40	Multiple vulnerabilities have been discovered in Pidgin and the
41	libpurple library:
42
43	* A participant to the TippingPoint ZDI reported multiple integer
44	overflows in the msn_slplink_process_msg() function in the MSN
45	protocol implementation (CVE-2008-2927).
46
47	* Juan Pablo Lopez Yacubian is credited for reporting a
48	use-after-free flaw in msn_slplink_process_msg() in the MSN protocol
49	implementation (CVE-2008-2955).
50
51	* The included UPnP server does not limit the size of data to be
52	downloaded for UPnP service discovery, according to a report by
53	Andrew Hunt and Christian Grothoff (CVE-2008-2957).
54
55	* Josh Triplett discovered that the NSS plugin for libpurple does not
56	properly verify SSL certificates (CVE-2008-3532).
57
58	Impact
59	======
60
61	A remote attacker could send specially crafted messages or files using
62	the MSN protocol which could result in the execution of arbitrary code
63	or crash Pidgin. NOTE: Successful exploitation might require the
64	victim's interaction. Furthermore, an attacker could conduct
65	man-in-the-middle attacks to obtain sensitive information using bad
66	certificates and cause memory and disk resources to exhaust.
67
68	Workaround
69	==========
70
71	There is no known workaround at this time.
72
73	Resolution
74	==========
75
76	All Pidgin users should upgrade to the latest version:
77
78	# emerge --sync
79	# emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.1"
80
81	References
82	==========
83
84	[ 1 ] CVE-2008-2927
85	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927
86	[ 2 ] CVE-2008-2955
87	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955
88	[ 3 ] CVE-2008-2957
89	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957
90	[ 4 ] CVE-2008-3532
91	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532
92
93	Availability
94	============
95
96	This GLSA and any updates to it are available for viewing at
97	the Gentoo Security Website:
98
99	http://security.gentoo.org/glsa/glsa-200901-13.xml
100
101	Concerns?
102	=========
103
104	Security is a primary focus of Gentoo Linux and ensuring the
105	confidentiality and security of our users machines is of utmost
106	importance to us. Any security concerns should be addressed to
107	security@g.o or alternatively, you may file a bug at
108	http://bugs.gentoo.org.
109
110	License
111	=======
112
113	Copyright 2009 Gentoo Foundation, Inc; referenced text
114	belongs to its owner(s).
115
116	The contents of this document are licensed under the
117	Creative Commons - Attribution / Share Alike license.
118
119	http://creativecommons.org/licenses/by-sa/2.5