[gentoo-announce] [ GLSA 201405-22 ] Pidgin: Multiple vulnerabilities - gentoo-announce

From:	Sean Amoss <ackle@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201405-22 ] Pidgin: Multiple vulnerabilities
Date:	Sun, 18 May 2014 17:53:08
Message-Id:	`5378F2C9.9080107@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201405-22

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: Pidgin: Multiple vulnerabilities

9

     Date: May 18, 2014

10

     Bugs: #457580, #499596

11

       ID: 201405-22

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities in Pidgin may allow execution of arbitrary

19

code.

20

21

Background

22

==========

23

24

Pidgin is a GTK Instant Messenger client for a variety of instant

25

messaging protocols.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package              /     Vulnerable     /            Unaffected

32

    -------------------------------------------------------------------

33

  1  net-im/pidgin                < 2.10.9                  >= 2.10.9 

34

                                                        *>= 2.10.9-r1 

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in Pidgin. Please review

40

the CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

A remote attacker could possibly execute arbitrary code with the

46

privileges of the Pidgin process, cause a Denial of Service condition,

47

overwrite files, or spoof traffic.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All Pidgin users on HPPA or users of GNOME 3.8 and later on AMD64 or

58

X86 should upgrade to the latest version:

59

60

  # emerge --sync

61

  # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.10.9-r1"

62

63

All Pidgin users on ALPHA, PPC, PPC64, SPARC, and users of GNOME before

64

3.8 on AMD64 and X86 should upgrade to the latest version:

65

66

  # emerge --sync

67

  # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.10.9"

68

69

References

70

==========

71

72

[  1 ] CVE-2012-6152

73

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6152

74

[  2 ] CVE-2013-0271

75

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0271

76

[  3 ] CVE-2013-0272

77

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0272

78

[  4 ] CVE-2013-0273

79

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0273

80

[  5 ] CVE-2013-0274

81

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0274

82

[  6 ] CVE-2013-6477

83

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6477

84

[  7 ] CVE-2013-6478

85

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6478

86

[  8 ] CVE-2013-6479

87

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6479

88

[  9 ] CVE-2013-6481

89

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6481

90

[ 10 ] CVE-2013-6482

91

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6482

92

[ 11 ] CVE-2013-6483

93

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6483

94

[ 12 ] CVE-2013-6484

95

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6484

96

[ 13 ] CVE-2013-6485

97

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6485

98

[ 14 ] CVE-2013-6487

99

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6487

100

[ 15 ] CVE-2013-6489

101

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6489

102

[ 16 ] CVE-2013-6490

103

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6490

104

[ 17 ] CVE-2014-0020

105

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0020

106

107

Availability

108

============

109

110

This GLSA and any updates to it are available for viewing at

111

the Gentoo Security Website:

112

113

 http://security.gentoo.org/glsa/glsa-201405-22.xml

114

115

Concerns?

116

=========

117

118

Security is a primary focus of Gentoo Linux and ensuring the

119

confidentiality and security of our users' machines is of utmost

120

importance to us. Any security concerns should be addressed to

121

security@g.o or alternatively, you may file a bug at

122

https://bugs.gentoo.org.

123

124

License

125

=======

126

127

Copyright 2014 Gentoo Foundation, Inc; referenced text

128

belongs to its owner(s).

129

130

The contents of this document are licensed under the

131

Creative Commons - Attribution / Share Alike license.

132

133

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201405-22
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Pidgin: Multiple vulnerabilities
9	Date: May 18, 2014
10	Bugs: #457580, #499596
11	ID: 201405-22
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities in Pidgin may allow execution of arbitrary
19	code.
20
21	Background
22	==========
23
24	Pidgin is a GTK Instant Messenger client for a variety of instant
25	messaging protocols.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-im/pidgin < 2.10.9 >= 2.10.9
34	*>= 2.10.9-r1
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in Pidgin. Please review
40	the CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	A remote attacker could possibly execute arbitrary code with the
46	privileges of the Pidgin process, cause a Denial of Service condition,
47	overwrite files, or spoof traffic.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All Pidgin users on HPPA or users of GNOME 3.8 and later on AMD64 or
58	X86 should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=net-im/pidgin-2.10.9-r1"
62
63	All Pidgin users on ALPHA, PPC, PPC64, SPARC, and users of GNOME before
64	3.8 on AMD64 and X86 should upgrade to the latest version:
65
66	# emerge --sync
67	# emerge --ask --oneshot --verbose ">=net-im/pidgin-2.10.9"
68
69	References
70	==========
71
72	[ 1 ] CVE-2012-6152
73	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6152
74	[ 2 ] CVE-2013-0271
75	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0271
76	[ 3 ] CVE-2013-0272
77	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0272
78	[ 4 ] CVE-2013-0273
79	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0273
80	[ 5 ] CVE-2013-0274
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0274
82	[ 6 ] CVE-2013-6477
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6477
84	[ 7 ] CVE-2013-6478
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6478
86	[ 8 ] CVE-2013-6479
87	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6479
88	[ 9 ] CVE-2013-6481
89	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6481
90	[ 10 ] CVE-2013-6482
91	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6482
92	[ 11 ] CVE-2013-6483
93	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6483
94	[ 12 ] CVE-2013-6484
95	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6484
96	[ 13 ] CVE-2013-6485
97	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6485
98	[ 14 ] CVE-2013-6487
99	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6487
100	[ 15 ] CVE-2013-6489
101	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6489
102	[ 16 ] CVE-2013-6490
103	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6490
104	[ 17 ] CVE-2014-0020
105	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0020
106
107	Availability
108	============
109
110	This GLSA and any updates to it are available for viewing at
111	the Gentoo Security Website:
112
113	http://security.gentoo.org/glsa/glsa-201405-22.xml
114
115	Concerns?
116	=========
117
118	Security is a primary focus of Gentoo Linux and ensuring the
119	confidentiality and security of our users' machines is of utmost
120	importance to us. Any security concerns should be addressed to
121	security@g.o or alternatively, you may file a bug at
122	https://bugs.gentoo.org.
123
124	License
125	=======
126
127	Copyright 2014 Gentoo Foundation, Inc; referenced text
128	belongs to its owner(s).
129
130	The contents of this document are licensed under the
131	Creative Commons - Attribution / Share Alike license.
132
133	http://creativecommons.org/licenses/by-sa/2.5