[gentoo-announce] [ GLSA 200905-07 ] Pidgin: Multiple vulnerabilities - gentoo-announce

From:	Alex Legler <a3li@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200905-07 ] Pidgin: Multiple vulnerabilities
Date:	Mon, 25 May 2009 23:12:11
Message-Id:	`1243288741.7549.1.camel@localhost`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200905-07

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Pidgin: Multiple vulnerabilities

9

      Date: May 25, 2009

10

      Bugs: #270811

11

        ID: 200905-07

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities in Pidgin might allow for the remote execution

19

of arbitrary code or a Denial of Service.

20

21

Background

22

==========

23

24

Pidgin (formerly Gaim) is an instant messaging client for a variety of

25

instant messaging protocols.

26

27

Affected packages

28

=================

29

30

    -------------------------------------------------------------------

31

     Package        /  Vulnerable  /                        Unaffected

32

    -------------------------------------------------------------------

33

  1  net-im/pidgin       < 2.5.6                              >= 2.5.6

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in Pidgin:

39

40

* Veracode reported a boundary error in the "XMPP SOCKS5 bytestream

41

  server" when initiating an outgoing file transfer (CVE-2009-1373).

42

43

* Ka-Hing Cheung reported a heap corruption flaw in the QQ protocol

44

  handler (CVE-2009-1374).

45

46

* A memory corruption flaw in "PurpleCircBuffer" was disclosed by

47

  Josef Andrysek (CVE-2009-1375).

48

49

* The previous fix for CVE-2008-2927 contains a cast from uint64 to

50

  size_t, possibly leading to an integer overflow (CVE-2009-1376, GLSA

51

  200901-13).

52

53

Impact

54

======

55

56

A remote attacker could send specially crafted messages or files using

57

the MSN, XMPP or QQ protocols, possibly resulting in the execution of

58

arbitrary code with the privileges of the user running the application,

59

or a Denial of Service. NOTE: Successful exploitation might require the

60

victim's interaction.

61

62

Workaround

63

==========

64

65

There is no known workaround at this time.

66

67

Resolution

68

==========

69

70

All Pidgin users should upgrade to the latest version:

71

72

    # emerge --sync

73

    # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.6"

74

75

References

76

==========

77

78

  [ 1 ] CVE-2009-1373

79

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373

80

  [ 2 ] CVE-2009-1374

81

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374

82

  [ 3 ] CVE-2009-1375

83

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375

84

  [ 4 ] CVE-2009-1376

85

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376

86

  [ 5 ] GLSA 200901-13

87

        http://www.gentoo.org/security/en/glsa/glsa-200901-13.xml

88

89

Availability

90

============

91

92

This GLSA and any updates to it are available for viewing at

93

the Gentoo Security Website:

94

95

  http://security.gentoo.org/glsa/glsa-200905-07.xml

96

97

Concerns?

98

=========

99

100

Security is a primary focus of Gentoo Linux and ensuring the

101

confidentiality and security of our users machines is of utmost

102

importance to us. Any security concerns should be addressed to

103

security@g.o or alternatively, you may file a bug at

104

http://bugs.gentoo.org.

105

106

License

107

=======

108

109

Copyright 2009 Gentoo Foundation, Inc; referenced text

110

belongs to its owner(s).

111

112

The contents of this document are licensed under the

113

Creative Commons - Attribution / Share Alike license.

114

115

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200905-07
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Pidgin: Multiple vulnerabilities
9	Date: May 25, 2009
10	Bugs: #270811
11	ID: 200905-07
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities in Pidgin might allow for the remote execution
19	of arbitrary code or a Denial of Service.
20
21	Background
22	==========
23
24	Pidgin (formerly Gaim) is an instant messaging client for a variety of
25	instant messaging protocols.
26
27	Affected packages
28	=================
29
30	-------------------------------------------------------------------
31	Package / Vulnerable / Unaffected
32	-------------------------------------------------------------------
33	1 net-im/pidgin < 2.5.6 >= 2.5.6
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in Pidgin:
39
40	* Veracode reported a boundary error in the "XMPP SOCKS5 bytestream
41	server" when initiating an outgoing file transfer (CVE-2009-1373).
42
43	* Ka-Hing Cheung reported a heap corruption flaw in the QQ protocol
44	handler (CVE-2009-1374).
45
46	* A memory corruption flaw in "PurpleCircBuffer" was disclosed by
47	Josef Andrysek (CVE-2009-1375).
48
49	* The previous fix for CVE-2008-2927 contains a cast from uint64 to
50	size_t, possibly leading to an integer overflow (CVE-2009-1376, GLSA
51	200901-13).
52
53	Impact
54	======
55
56	A remote attacker could send specially crafted messages or files using
57	the MSN, XMPP or QQ protocols, possibly resulting in the execution of
58	arbitrary code with the privileges of the user running the application,
59	or a Denial of Service. NOTE: Successful exploitation might require the
60	victim's interaction.
61
62	Workaround
63	==========
64
65	There is no known workaround at this time.
66
67	Resolution
68	==========
69
70	All Pidgin users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.6"
74
75	References
76	==========
77
78	[ 1 ] CVE-2009-1373
79	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373
80	[ 2 ] CVE-2009-1374
81	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374
82	[ 3 ] CVE-2009-1375
83	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375
84	[ 4 ] CVE-2009-1376
85	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376
86	[ 5 ] GLSA 200901-13
87	http://www.gentoo.org/security/en/glsa/glsa-200901-13.xml
88
89	Availability
90	============
91
92	This GLSA and any updates to it are available for viewing at
93	the Gentoo Security Website:
94
95	http://security.gentoo.org/glsa/glsa-200905-07.xml
96
97	Concerns?
98	=========
99
100	Security is a primary focus of Gentoo Linux and ensuring the
101	confidentiality and security of our users machines is of utmost
102	importance to us. Any security concerns should be addressed to
103	security@g.o or alternatively, you may file a bug at
104	http://bugs.gentoo.org.
105
106	License
107	=======
108
109	Copyright 2009 Gentoo Foundation, Inc; referenced text
110	belongs to its owner(s).
111
112	The contents of this document are licensed under the
113	Creative Commons - Attribution / Share Alike license.
114
115	http://creativecommons.org/licenses/by-sa/2.5