Ubuntu: 2100-1 Critical Pidgin Denial of Service Threats
Feb 06, 2014
•
LinuxSecurity Advisories
2 - 4 min read
Topics Covered
Several security issues were fixed in Pidgin.
=========================================================================Ubuntu Security Notice USN-2100-1 February 06, 2014 pidgin vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Pidgin. Software Description: - pidgin: graphical multi-protocol instant messaging client for X Details: Thijs Alkemade and Robert Vehse discovered that Pidgin incorrectly handled the Yahoo! protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2012-6152) Jaime Breva Ribes discovered that Pidgin incorrectly handled the XMPP protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6477) It was discovered that Pidgin incorrecly handled long URLs. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6478) Jacob Appelbaum discovered that Pidgin incorrectly handled certain HTTP responses. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6479) Daniel Atallah discovered that Pidgin incorrectly handled the Yahoo! protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6481) Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin incorrectly handled the MSN protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6482) Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin incorrectly handled XMPP iq replies. A remote attacker could use this issue to spoof messages. (CVE-2013-6483) It was discovered that Pidgin incorrectly handled STUN server responses. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6484) Matt Jones discovered that Pidgin incorrectly handled certain chunked HTTP responses. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6485) Yves Younan and Ryan Pentney discovered that Pidgin incorrectly handled certain Gadu-Gadu HTTP messages. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6487) Yves Younan and Pawel Janic discovered that Pidgin incorrectly handled MXit emoticons. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6489) Yves Younan discovered that Pidgin incorrectly handled SIMPLE headers. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6490) Daniel Atallah discovered that Pidgin incorrectly handled IRC argument parsing. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2014-0020) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: libpurple0 1:2.10.7-0ubuntu4.1.13.10.1 pidgin 1:2.10.7-0ubuntu4.1.13.10.1 Ubuntu 12.10: libpurple0 1:2.10.6-0ubuntu2.3 pidgin 1:2.10.6-0ubuntu2.3 Ubuntu 12.04 LTS: libpurple0 1:2.10.3-0ubuntu1.4 pidgin 1:2.10.3-0ubuntu1.4 After a standard system update you need to restart Pidgin to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-2100-1 CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6482, CVE-2013-6483, CVE-2013-6484, CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490, CVE-2014-0020 Package Information: https://launchpad.net/ubuntu/+source/pidgin/1:2.10.7-0ubuntu4.1.13.10.1 https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.3 https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.4
PREVIOUS
NEXT
Ubuntu: 2100-1 Critical Pidgin Denial of Service Threats
ubuntu
February 6, 2014
Several security issues were fixed in Pidgin.
Summary
Topics Covered
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: libpurple0 1:2.10.7-0ubuntu4.1.13.10.1 pidgin 1:2.10.7-0ubuntu4.1.13.10.1 Ubuntu 12.10: libpurple0 1:2.10.6-0ubuntu2.3 pidgin 1:2.10.6-0ubuntu2.3 Ubuntu 12.04 LTS: libpurple0 1:2.10.3-0ubuntu1.4 pidgin 1:2.10.3-0ubuntu1.4 After a standard system update you need to restart Pidgin to make all the necessary changes.
References
https://ubuntu.com/security/notices/USN-2100-1
CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479,
CVE-2013-6481, CVE-2013-6482, CVE-2013-6483, CVE-2013-6484,
CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490,
CVE-2014-0020
Severity
critical
Lowest
Low
Medium
High
Critical
February 06, 2014
Topics Covered
Package Information
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.7-0ubuntu4.1.13.10.1 https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.3 https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.4
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!