Debian 5.0: DSA-1870-1 Severe: pidgin Buffer Overflow Risk
debian
August 20, 2009
Federico Muttis discovered that libpurple, the shared library that adds support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer...
Summary
Federico Muttis discovered that libpurple, the shared library that adds
support for various instant messaging networks to the pidgin IM client, is
vulnerable to a heap-based buffer overflow. This issue exists because of
an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can
exploit this by sending two consecutive SLP packets to a victim via MSN.
The first packet is used to create an SLP message object with an offset of
zero, the second packet then contains a crafted offset which hits the
vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and
allows an attacker to execute arbitrary code.
Note: Users with the "Allow only the users below" setting are not vulnerable
to this attack. If you can't install the below updates you may want to
set this via Tools->Privacy.
For the stable distribution (lenny), this problem has been fixed in
version 2.4.3-4lenny3.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution ...
PREVIOUS
NEXT
Package: pidgin
CVE ID: CVE-2009-2694
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!