MDVSA-2010:002

Package name

pidgin

Date

2010-01-11

Advisory ID

MDVSA-2010:002

Affected versions

2010.0 x86_64 , 2010.0 i586

Problem description

A security vulnerability has been identified and fixed in pidgin:

Directory traversal vulnerability in slp.c in the MSN protocol
plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
remote attackers to read arbitrary files via a .. (dot dot) in an
application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
a related issue to CVE-2004-0122. NOTE: it could be argued that
this is resultant from a vulnerability in which an emoticon download
request is processed even without a preceding text/x-mms-emoticon
message that announced availability of the emoticon (CVE-2010-0013).

This update provides pidgin 2.6.5, which is not vulnerable to this
issue.

Updated packages

2010.0 x86_64

 e27d2817c814cf90bad7e205081402a2  2010.0/x86_64/finch-2.6.5-0.1mdv2010.0.x86_64.rpm
 611f230ca512ad0db64acc14ef06e148  2010.0/x86_64/lib64finch0-2.6.5-0.1mdv2010.0.x86_64.rpm
 8ae845e339ca97ebdd7f302eac3e5899  2010.0/x86_64/lib64purple0-2.6.5-0.1mdv2010.0.x86_64.rpm
 525a83c8cb39f1b8a5c54d1ee91d5e49  2010.0/x86_64/lib64purple-devel-2.6.5-0.1mdv2010.0.x86_64.rpm
 2ef31af24eb8a4c2706e67f941ad9fa3  2010.0/x86_64/pidgin-2.6.5-0.1mdv2010.0.x86_64.rpm
 f8d2d37e7e9f070ec94339c2a3b6b8f0  2010.0/x86_64/pidgin-bonjour-2.6.5-0.1mdv2010.0.x86_64.rpm
 45038a16defd0813f381fea1b184697a  2010.0/x86_64/pidgin-client-2.6.5-0.1mdv2010.0.x86_64.rpm
 9f48d1a4af0d24195610a0392f721acb  2010.0/x86_64/pidgin-gevolution-2.6.5-0.1mdv2010.0.x86_64.rpm
 6c7d1fcb4f0ba1a1b32d04ecaf51ce59  2010.0/x86_64/pidgin-i18n-2.6.5-0.1mdv2010.0.x86_64.rpm
 7efbc4ca6f8028476e6a842238d5e19c  2010.0/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2010.0.x86_64.rpm
 58f135d340961f21b7b7a37931c7bf1d  2010.0/x86_64/pidgin-mono-2.6.5-0.1mdv2010.0.x86_64.rpm
 798c84ae196fdedbeddb8d71374ce063  2010.0/x86_64/pidgin-perl-2.6.5-0.1mdv2010.0.x86_64.rpm
 507b908bb81dc61cd633fccea1023314  2010.0/x86_64/pidgin-plugins-2.6.5-0.1mdv2010.0.x86_64.rpm
 48518b319bc1c5a5a452be9ceb522763  2010.0/x86_64/pidgin-silc-2.6.5-0.1mdv2010.0.x86_64.rpm
 b38b6ee90af7cee2298ba8f191b7fcc6  2010.0/x86_64/pidgin-tcl-2.6.5-0.1mdv2010.0.x86_64.rpm 
 83d0f2b5bb31e313c53c4d40ca8fe1da  2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm

2010.0 i586

 0b141dc591a1677affc824e714c0bfa5  2010.0/i586/finch-2.6.5-0.1mdv2010.0.i586.rpm
 3d851548d89644efdfb701ba90c468da  2010.0/i586/libfinch0-2.6.5-0.1mdv2010.0.i586.rpm
 91a4b9783856ae2565c2cd3a9b27ebb6  2010.0/i586/libpurple0-2.6.5-0.1mdv2010.0.i586.rpm
 a0c9e1a42b96b117822968b581869513  2010.0/i586/libpurple-devel-2.6.5-0.1mdv2010.0.i586.rpm
 ec2f185f4aaf4a83fdd95d1ee5023c4c  2010.0/i586/pidgin-2.6.5-0.1mdv2010.0.i586.rpm
 aefdd5492a98e1823ba0c7286b3558b9  2010.0/i586/pidgin-bonjour-2.6.5-0.1mdv2010.0.i586.rpm
 92599926774c68178a399e8e6b680029  2010.0/i586/pidgin-client-2.6.5-0.1mdv2010.0.i586.rpm
 1d213714f4d9da85fd0bac7e793aa0d5  2010.0/i586/pidgin-gevolution-2.6.5-0.1mdv2010.0.i586.rpm
 a1e458dcd2c10987934208d9a18cd2b5  2010.0/i586/pidgin-i18n-2.6.5-0.1mdv2010.0.i586.rpm
 afc26ed9b344e3d4317fd7e32b88fa88  2010.0/i586/pidgin-meanwhile-2.6.5-0.1mdv2010.0.i586.rpm
 3233cfec46020dbff5ef6f6fa4a4025e  2010.0/i586/pidgin-mono-2.6.5-0.1mdv2010.0.i586.rpm
 48a5641b1104620aba0e2cbfa65a101f  2010.0/i586/pidgin-perl-2.6.5-0.1mdv2010.0.i586.rpm
 44461abfbd8bc983a1e440a331ddc823  2010.0/i586/pidgin-plugins-2.6.5-0.1mdv2010.0.i586.rpm
 80e0cedd0d60fe626dc5253db502e1bd  2010.0/i586/pidgin-silc-2.6.5-0.1mdv2010.0.i586.rpm
 531a6537d9bf005ee54aece14aa48eb6  2010.0/i586/pidgin-tcl-2.6.5-0.1mdv2010.0.i586.rpm 
 83d0f2b5bb31e313c53c4d40ca8fe1da  2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm

References

• http://pidgin.im/news/security/
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013