MDVSA-2010:085

Package name

pidgin

Date

2010-04-28

Advisory ID

MDVSA-2010:085

Affected versions

2009.0 x86_64 , 2009.0 i586

Problem description

Security vulnerabilities has been identified and fixed in pidgin:

The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium
before 1.3.7 allows remote attackers to cause a denial of service
(application crash) via crafted contact-list data for (1) ICQ and
possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615).

Directory traversal vulnerability in slp.c in the MSN protocol
plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
remote attackers to read arbitrary files via a .. (dot dot) in an
application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
a related issue to CVE-2004-0122. NOTE: it could be argued that
this is resultant from a vulnerability in which an emoticon download
request is processed even without a preceding text/x-mms-emoticon
message that announced availability of the emoticon (CVE-2010-0013).

Directory traversal vulnerability in slp.c in the MSN protocol
plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
remote attackers to read arbitrary files via a .. (dot dot) in an
application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
a related issue to CVE-2004-0122. NOTE: it could be argued that
this is resultant from a vulnerability in which an emoticon download
request is processed even without a preceding text/x-mms-emoticon
message that announced availability of the emoticon (CVE-2010-0013).

Certain malformed SLP messages can trigger a crash because the MSN
protocol plugin fails to check that all pieces of the message are
set correctly (CVE-2010-0277).

In a user in a multi-user chat room has a nickname containing '
'
then libpurple ends up having two users with username ' ' in the room,
and Finch crashes in this situation. We do not believe there is a
possibility of remote code execution (CVE-2010-0420).

oCERT notified us about a problem in Pidgin, where a large amount of
processing time will be used when inserting many smileys into an IM
or chat window. This should not cause a crash, but Pidgin can become
unusable slow (CVE-2010-0423).

Packages for 2009.0 are provided due to the Extended Maintenance
Program.

This update provides pidgin 2.6.6, which is not vulnerable to these
issues.

Updated packages

2009.0 x86_64

 73f00980b1022b260483fb1186a8a857  2009.0/x86_64/finch-2.6.6-0.1mdv2009.0.x86_64.rpm
 098f9f209c84f4f3cff9eebb225df45c  2009.0/x86_64/lib64finch0-2.6.6-0.1mdv2009.0.x86_64.rpm
 4365bea65c0ef5b7d027820056c43ee7  2009.0/x86_64/lib64purple0-2.6.6-0.1mdv2009.0.x86_64.rpm
 03790a91d3c7b2e40b23ffe5bd596d7f  2009.0/x86_64/lib64purple-devel-2.6.6-0.1mdv2009.0.x86_64.rpm
 f0c784c60d1906840cb37dd164386009  2009.0/x86_64/pidgin-2.6.6-0.1mdv2009.0.x86_64.rpm
 e126ad8f718245f969a07e68aac4ce75  2009.0/x86_64/pidgin-bonjour-2.6.6-0.1mdv2009.0.x86_64.rpm
 5cb631dd7e07bd657dede89674ab0604  2009.0/x86_64/pidgin-client-2.6.6-0.1mdv2009.0.x86_64.rpm
 bda2495720a394af0ff148b43c814e5d  2009.0/x86_64/pidgin-gevolution-2.6.6-0.1mdv2009.0.x86_64.rpm
 6b51ecdb5b1c9b24caa0c04c67e5fa32  2009.0/x86_64/pidgin-i18n-2.6.6-0.1mdv2009.0.x86_64.rpm
 cc23c3e478f8b4b923fa34128bf729eb  2009.0/x86_64/pidgin-meanwhile-2.6.6-0.1mdv2009.0.x86_64.rpm
 7b569dc8c9584ae594165b0e985cc671  2009.0/x86_64/pidgin-mono-2.6.6-0.1mdv2009.0.x86_64.rpm
 37b896476f725311f108e56758674a6e  2009.0/x86_64/pidgin-perl-2.6.6-0.1mdv2009.0.x86_64.rpm
 2e5eda0cde9ad8105dab80080a14c361  2009.0/x86_64/pidgin-plugins-2.6.6-0.1mdv2009.0.x86_64.rpm
 2d0ab0df7212fd47ba891974d8ac87f7  2009.0/x86_64/pidgin-silc-2.6.6-0.1mdv2009.0.x86_64.rpm
 2790d06426db09a03d27771acb38dcbc  2009.0/x86_64/pidgin-tcl-2.6.6-0.1mdv2009.0.x86_64.rpm 
 bc18b444b5c2c5bf1e6dbf5b350d120c  2009.0/SRPMS/pidgin-2.6.6-0.1mdv2009.0.src.rpm

2009.0 i586

 ff6ea030872577e6b0554d9ad92a396a  2009.0/i586/finch-2.6.6-0.1mdv2009.0.i586.rpm
 af78075de6309e9b6bee73321c26407f  2009.0/i586/libfinch0-2.6.6-0.1mdv2009.0.i586.rpm
 844a556786c447a1ca145701079fdbdf  2009.0/i586/libpurple0-2.6.6-0.1mdv2009.0.i586.rpm
 07909a8b9a8dc94d32d4334887f95e60  2009.0/i586/libpurple-devel-2.6.6-0.1mdv2009.0.i586.rpm
 add7f860c109470332a924abdde94867  2009.0/i586/pidgin-2.6.6-0.1mdv2009.0.i586.rpm
 473b623dd01143484f56aeec8198c038  2009.0/i586/pidgin-bonjour-2.6.6-0.1mdv2009.0.i586.rpm
 ebbc0a0da115f42d557086d92952a593  2009.0/i586/pidgin-client-2.6.6-0.1mdv2009.0.i586.rpm
 c2e797ac95c71799df4c5e07655c7102  2009.0/i586/pidgin-gevolution-2.6.6-0.1mdv2009.0.i586.rpm
 b96046816302e5bb7f671282534acebe  2009.0/i586/pidgin-i18n-2.6.6-0.1mdv2009.0.i586.rpm
 312ea5008d2d2925e146c097a042a2bc  2009.0/i586/pidgin-meanwhile-2.6.6-0.1mdv2009.0.i586.rpm
 c1deaff7c0b2bcc8287b4e2d44a917b4  2009.0/i586/pidgin-mono-2.6.6-0.1mdv2009.0.i586.rpm
 8966ecdef85c226fd04331a71a8d59a3  2009.0/i586/pidgin-perl-2.6.6-0.1mdv2009.0.i586.rpm
 615e6e69dc77419a52df58f9500f3278  2009.0/i586/pidgin-plugins-2.6.6-0.1mdv2009.0.i586.rpm
 6c5d548b6aead8023952b710662a0fdd  2009.0/i586/pidgin-silc-2.6.6-0.1mdv2009.0.i586.rpm
 4c7e7cf01343077a7d880b049bfbeb89  2009.0/i586/pidgin-tcl-2.6.6-0.1mdv2009.0.i586.rpm 
 bc18b444b5c2c5bf1e6dbf5b350d120c  2009.0/SRPMS/pidgin-2.6.6-0.1mdv2009.0.src.rpm

References

• http://pidgin.im/news/security/
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3615