[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200901-13.xml - gentoo-commits

From:	"Pierre-Yves Rofes (py)" <py@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200901-13.xml
Date:	Tue, 20 Jan 2009 21:59:57
Message-Id:	`E1LPOdX-0005YB-Qp@stork.gentoo.org`

1

py          09/01/20 21:59:55

2

3

  Added:                glsa-200901-13.xml

4

  Log:

5

  GLSA 200901-13

6

7

Revision  Changes    Path

8

1.1                  xml/htdocs/security/en/glsa/glsa-200901-13.xml

9

10

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200901-13.xml?rev=1.1&view=markup

11

plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200901-13.xml?rev=1.1&content-type=text/plain

12

13

Index: glsa-200901-13.xml

14

===================================================================

15

<?xml version="1.0" encoding="utf-8"?>

16

<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>

17

<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>

18

<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

19

20

<glsa id="200901-13">

21

  <title>Pidgin: Multiple vulnerabilities</title>

22

  <synopsis>

23

    Multiple vulnerabilities have been discovered in Pidgin, allowing for

24

    remote arbitrary code execution, Denial of Service and service spoofing.

25

  </synopsis>

26

  <product type="ebuild">pidgin</product>

27

  <announced>January 20, 2009</announced>

28

  <revised>January 20, 2009: 01</revised>

29

  <bug>230045</bug>

30

  <bug>234135</bug>

31

  <access>remote</access>

32

  <affected>

33

    <package name="net-im/pidgin" auto="yes" arch="*">

34

      <unaffected range="ge">2.5.1</unaffected>

35

      <vulnerable range="lt">2.5.1</vulnerable>

36

    </package>

37

  </affected>

38

  <background>

39

<p>

40

    Pidgin (formerly Gaim) is an instant messaging client for a variety of

41

    instant messaging protocols. It is based on the libpurple instant

42

    messaging library.

43

    </p>

44

  </background>

45

  <description>

46

<p>

47

    Multiple vulnerabilities have been discovered in Pidgin and the

48

    libpurple library:

49

    </p>

50

    <ul><li>

51

    A participant to the TippingPoint ZDI reported multiple integer

52

    overflows in the msn_slplink_process_msg() function in the MSN protocol

53

    implementation (CVE-2008-2927).

54

    </li>

55

    <li>

56

    Juan Pablo Lopez Yacubian is credited for reporting a use-after-free

57

    flaw in msn_slplink_process_msg() in the MSN protocol implementation

58

    (CVE-2008-2955).

59

    </li>

60

    <li>

61

    The included UPnP server does not limit the size of data to be

62

    downloaded for UPnP service discovery, according to a report by Andrew

63

    Hunt and Christian Grothoff (CVE-2008-2957).

64

    </li>

65

    <li>

66

    Josh Triplett discovered that the NSS plugin for libpurple does not

67

    properly verify SSL certificates (CVE-2008-3532).

68

    </li>

69

    </ul>

70

  </description>

71

  <impact type="normal">

72

<p>

73

    A remote attacker could send specially crafted messages or files using

74

    the MSN protocol which could result in the execution of arbitrary code

75

    or crash Pidgin. NOTE: Successful exploitation might require the

76

    victim's interaction. Furthermore, an attacker could conduct

77

    man-in-the-middle attacks to obtain sensitive information using bad

78

    certificates and cause memory and disk resources to exhaust.

79

    </p>

80

  </impact>

81

  <workaround>

82

<p>

83

    There is no known workaround at this time.

84

    </p>

85

  </workaround>

86

  <resolution>

87

<p>

88

    All Pidgin users should upgrade to the latest version:

89

    </p>

90

    <code>

91

    # emerge --sync

92

    # emerge --ask --oneshot --verbose &quot;&gt;=net-im/pidgin-2.5.1&quot;</code>

93

  </resolution>

94

  <references>

95

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927">CVE-2008-2927</uri>

96

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955">CVE-2008-2955</uri>

97

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957">CVE-2008-2957</uri>

98

    <uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532">CVE-2008-3532</uri>

99

  </references>

100

  <metadata tag="requester" timestamp="Sun, 06 Jul 2008 18:20:14 +0000">

101

p-y

102

  </metadata>

103

  <metadata tag="submitter" timestamp="Sat, 29 Nov 2008 14:01:14 +0000">

104

    a3li

105

  </metadata>

106

  <metadata tag="bugReady" timestamp="Tue, 02 Dec 2008 14:32:53 +0000">

107

rbu

108

  </metadata>

109

</glsa>

1	py 09/01/20 21:59:55
2
3	Added: glsa-200901-13.xml
4	Log:
5	GLSA 200901-13
6
7	Revision Changes Path
8	1.1 xml/htdocs/security/en/glsa/glsa-200901-13.xml
9
10	file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200901-13.xml?rev=1.1&view=markup
11	plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/glsa/glsa-200901-13.xml?rev=1.1&content-type=text/plain
12
13	Index: glsa-200901-13.xml
14	===================================================================
15	<?xml version="1.0" encoding="utf-8"?>
16	<?xml-stylesheet href="/xsl/glsa.xsl" type="text/xsl"?>
17	<?xml-stylesheet href="/xsl/guide.xsl" type="text/xsl"?>
18	<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
19
20	<glsa id="200901-13">
21	<title>Pidgin: Multiple vulnerabilities</title>
22	<synopsis>
23	Multiple vulnerabilities have been discovered in Pidgin, allowing for
24	remote arbitrary code execution, Denial of Service and service spoofing.
25	</synopsis>
26	<product type="ebuild">pidgin</product>
27	<announced>January 20, 2009</announced>
28	<revised>January 20, 2009: 01</revised>
29	<bug>230045</bug>
30	<bug>234135</bug>
31	<access>remote</access>
32	<affected>
33	<package name="net-im/pidgin" auto="yes" arch="*">
34	<unaffected range="ge">2.5.1</unaffected>
35	<vulnerable range="lt">2.5.1</vulnerable>
36	</package>
37	</affected>
38	<background>
39	<p>
40	Pidgin (formerly Gaim) is an instant messaging client for a variety of
41	instant messaging protocols. It is based on the libpurple instant
42	messaging library.
43	</p>
44	</background>
45	<description>
46	<p>
47	Multiple vulnerabilities have been discovered in Pidgin and the
48	libpurple library:
49	</p>
50	<ul><li>
51	A participant to the TippingPoint ZDI reported multiple integer
52	overflows in the msn_slplink_process_msg() function in the MSN protocol
53	implementation (CVE-2008-2927).
54	</li>
55	<li>
56	Juan Pablo Lopez Yacubian is credited for reporting a use-after-free
57	flaw in msn_slplink_process_msg() in the MSN protocol implementation
58	(CVE-2008-2955).
59	</li>
60	<li>
61	The included UPnP server does not limit the size of data to be
62	downloaded for UPnP service discovery, according to a report by Andrew
63	Hunt and Christian Grothoff (CVE-2008-2957).
64	</li>
65	<li>
66	Josh Triplett discovered that the NSS plugin for libpurple does not
67	properly verify SSL certificates (CVE-2008-3532).
68	</li>
69	</ul>
70	</description>
71	<impact type="normal">
72	<p>
73	A remote attacker could send specially crafted messages or files using
74	the MSN protocol which could result in the execution of arbitrary code
75	or crash Pidgin. NOTE: Successful exploitation might require the
76	victim's interaction. Furthermore, an attacker could conduct
77	man-in-the-middle attacks to obtain sensitive information using bad
78	certificates and cause memory and disk resources to exhaust.
79	</p>
80	</impact>
81	<workaround>
82	<p>
83	There is no known workaround at this time.
84	</p>
85	</workaround>
86	<resolution>
87	<p>
88	All Pidgin users should upgrade to the latest version:
89	</p>
90	<code>
91	# emerge --sync
92	# emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.1"</code>
93	</resolution>
94	<references>
95	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927">CVE-2008-2927</uri>
96	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955">CVE-2008-2955</uri>
97	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957">CVE-2008-2957</uri>
98	<uri link="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532">CVE-2008-3532</uri>
99	</references>
100	<metadata tag="requester" timestamp="Sun, 06 Jul 2008 18:20:14 +0000">
101	p-y
102	</metadata>
103	<metadata tag="submitter" timestamp="Sat, 29 Nov 2008 14:01:14 +0000">
104	a3li
105	</metadata>
106	<metadata tag="bugReady" timestamp="Tue, 02 Dec 2008 14:32:53 +0000">
107	rbu
108	</metadata>
109	</glsa>

Gentoo Archives: gentoo-commits