==========================================================Ubuntu Security Notice USN-886-1           January 18, 2010
pidgin vulnerabilities
CVE-2008-2955, CVE-2009-1376, CVE-2009-2703, CVE-2009-3026,
CVE-2009-3083, CVE-2009-3085, CVE-2009-3615, CVE-2010-0013
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
  pidgin                          1:2.4.1-1ubuntu2.8

Ubuntu 8.10:
  pidgin                          1:2.5.2-0ubuntu1.6

Ubuntu 9.04:
  pidgin                          1:2.5.5-1ubuntu8.5

Ubuntu 9.10:
  pidgin                          1:2.6.2-1ubuntu7.1

After a standard system upgrade you need to restart Pidgin to effect
the necessary changes.

Details follow:

It was discovered that Pidgin did not properly handle certain topic
messages in the IRC protocol handler. If a user were tricked into
connecting to a malicious IRC server, an attacker could cause Pidgin to
crash, leading to a denial of service. This issue only affected Ubuntu 8.04
LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703)

It was discovered that Pidgin did not properly enforce the "require
TLS/SSL" setting when connecting to certain older Jabber servers. If a
remote attacker were able to perform a man-in-the-middle attack, this flaw
could be exploited to view sensitive information. This issue only affected
Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)

It was discovered that Pidgin did not properly handle certain SLP invite
messages in the MSN protocol handler. A remote attacker could send a
specially crafted invite message and cause Pidgin to crash, leading to a
denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10
and Ubuntu 9.04. (CVE-2009-3083)

It was discovered that Pidgin did not properly handle certain errors in the
XMPP protocol handler. A remote attacker could send a specially crafted
message and cause Pidgin to crash, leading to a denial of service. This
issue only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3085)

It was discovered that Pidgin did not properly handle malformed
contact-list data in the OSCAR protocol handler. A remote attacker could
send specially crafted contact-list data and cause Pidgin to crash, leading
to a denial of service. (CVE-2009-3615)

It was discovered that Pidgin did not properly handle custom smiley
requests in the MSN protocol handler. A remote attacker could send a
specially crafted filename in a custom smiley request and obtain arbitrary
files via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu
9.04 and Ubuntu 9.10. (CVE-2010-0013)

Pidgin for Ubuntu 8.04 LTS was also updated to fix connection issues with
the MSN protocol.

USN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiple
security vulnerabilities in Ubuntu 8.04 LTS. The security patches to fix
CVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects the
problem. Original advisory details:

 It was discovered that Pidgin did not properly handle file transfers
 containing a long filename and special characters in the MSN protocol
 handler. A remote attacker could send a specially crafted filename in a
 file transfer request and cause Pidgin to crash, leading to a denial of
 service. (CVE-2008-2955)

 It was discovered that Pidgin did not properly handle certain malformed
 messages in the MSN protocol handler. A remote attacker could send a
 specially crafted message and possibly execute arbitrary code with user
 privileges. (CVE-2009-1376)


Updated packages for Ubuntu 8.04 LTS:

  Source archives:

          Size/MD5:   141994 377565d6f9785cd8a299214f30b36a1f
          Size/MD5:     1540 45ccb8c6d8abc66534202310a6953d8f
          Size/MD5: 13297380 25e3593d5e6bfc17911111475a057778

  Architecture independent packages:

          Size/MD5:    37852 2eb08561425854ed826626206eff1d58
          Size/MD5:    93090 96e6b207abdd25ad2149ec9b607fc034
          Size/MD5:   235438 f6a639fcc4c3e43406d07a344413bf06
          Size/MD5:  1329662 cd4c47cb464504b16ee162e43527b846
          Size/MD5:    72654 344fbaa95ed0490662c89bc65c883937
          Size/MD5:    87228 862bedd9d9825e955b17938c08773b6e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   226888 1ef3e17e0ec785ad2de3d88a36c57db8
          Size/MD5:  1573354 fc9d1b6bb56b57c12b51bec7153ffc5e
          Size/MD5:  4435438 ca401f3f935f359e2262f5ff35b77881
          Size/MD5:   572092 90dbf69d0f178c789b1671a706aa2369

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   200896 50c981d44be0a822673afefa96fa67da
          Size/MD5:  1332030 8ede5ce24cfded2adfb9795292e4c679
          Size/MD5:  4245820 977c472519627ba736fc671f0f673d0a
          Size/MD5:   517154 9dfda253357f0893bcb11b5d8364abf3

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   197204 0078cf81d8336dc34211b41dafe26101
          Size/MD5:  1383340 8d90a07b9c746d6c117c54175bcb870e
          Size/MD5:  4375042 037719cfc045781146b7a04792fad28b
          Size/MD5:   511668 6dfe2cc160fdb2a1e3d0b8981d9d57bb

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   237200 634c2fbf24bcfe4ab1d1030b67b67e73
          Size/MD5:  1601928 30baa5589e047402985991a57f61b068
          Size/MD5:  4479140 208089e7ce8cb32be40c6e113319b488
          Size/MD5:   589660 729e541c824a03e29c94c318c34bbb3d

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   212842 0b6164e0e3f581ab11687bfd41ec6ba1
          Size/MD5:  1500418 eeb368f3982a1ae048a45ec95b542ba1
          Size/MD5:  4368944 dda859d281623e11396e0b323dc8d8a9
          Size/MD5:   545640 9faf225339b7f35f9e19327bb3346481

Updated packages for Ubuntu 8.10:

  Source archives:

          Size/MD5:    65545 6b98b37df4c159ec62bc7ac63189eb3f
          Size/MD5:     1995 0272b5e9d66e3e3335d53fa9c7904168
          Size/MD5: 11642659 3ad83133a2381087cbdddf42ba5d6ecf

  Architecture independent packages:

          Size/MD5:    38228 714b146d040bad0e9253f57a8f7c9455
          Size/MD5:    95520 b7fe1a26f465a8adf6c29723bee60b0c
          Size/MD5:   243134 232eac44b466b4dcada3084d0df7e69b
          Size/MD5:  1107434 8857d85ace3ab8bcdb2843869d5a30af
          Size/MD5:  1357826 25877c3f267dba4db11556b60429c590

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   230062 645804746a0c40fdbfc7510ba8ec9dd2
          Size/MD5:  1756174 95a210be93b209f849a953fa7d9522f9
          Size/MD5:  4662108 7ee3acea4673a7a9b489ed7eb61a1bfe
          Size/MD5:   613972 6bb40c80fd0ce97ace9de8662587a932

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   204020 cc8cbbd0cbd9797c647fc243ac99d235
          Size/MD5:  1503714 aac2ab22f3471423646606852a563a75
          Size/MD5:  4466478 f57243eab9a5f934e768c23cd835e48c
          Size/MD5:   559592 70c0c2966e6ab9930c447f2a5a5744aa

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   200668 ceeb3d8d689b73786f667d215aa770ca
          Size/MD5:  1552850 df7cfb64fbc1f808db5fdc08882b25c0
          Size/MD5:  4600638 c39ec50abc874e5bf0bd613f02210fa4
          Size/MD5:   553788 5abfad8e919f11ec914b293a5223d012

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   235482 d8ddd2bdae12c841640b68b12681144d
          Size/MD5:  1791298 f0337a45b7bb750c421da485caf5600c
          Size/MD5:  4686500 c9e8dc61a4836b23e7b4938700ddb7ee
          Size/MD5:   619550 1653420b4e0b57490d760294924d5721

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   217320 5eb2ca921bf3684050ad9e268bf61f0a
          Size/MD5:  1683396 80b1f606e6a7bf21ecfe0ddcbb33bc62
          Size/MD5:  4589388 0431ac38fdedd443e8031b9826c1b303
          Size/MD5:   590726 d81cd48595851b468673b419cce88044

Updated packages for Ubuntu 9.04:

  Source archives:

          Size/MD5:   137419 59241d1cac4ce963f65bd5854e14281f
          Size/MD5:     1935 45acfca62d8f7e630bb932d194e1d138
          Size/MD5: 11989031 08d9c0c8dd43dbcec6f67d8ba596029f

  Architecture independent packages:

          Size/MD5:    38430 bce192931c101edee2409f9f1158ac6c
          Size/MD5:    98094 b3498972ddc452552affe4f91544600b
          Size/MD5:   246248 eefb6a4290297ffaee59acc319a280b0
          Size/MD5:  1151318 93e5fa7cbc09889ec4007cb8e1144810
          Size/MD5:  1372024 6f2b41f0050c1915870f52a93c20b308

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   235130 675bebcee61975fff30e0f0d8e55f867
          Size/MD5:  1770054 d688da4c9774a6c732f335e71d157f72
          Size/MD5:  5847024 f2c5dfa9bc15dbd3972b9e9e3a618210
          Size/MD5:   567376 dbaa0e2cd501009b58492ffc0b784834

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   213600 5724b4b67bc676bedc6fafcabd74b6cf
          Size/MD5:  1553106 25e7ad7a5c422eee0b25fd880a5e5e46
          Size/MD5:  5448568 3d88dc1406f6e4f4f81fc41321aef54f
          Size/MD5:   519340 9dd70a4bf593d1bced9d8b5f5fffc009

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   212142 7afd591832da950725804b855c4acb26
          Size/MD5:  1614416 2e299fb9f6e3a82675eb2170b59daeff
          Size/MD5:  5596092 ffc5d1b61689f39cbc27a86200488bd0
          Size/MD5:   518522 4411732da5ff944035aec13b31ecfb92

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   245160 a9e60ba8c391a3a054566d45fad698ed
          Size/MD5:  1826334 44d4c0810d532ad4509a955e98c42885
          Size/MD5:  5759990 2ca4bbfbdf778501e71f695269db5b69
          Size/MD5:   580976 6157d61c916eee6157b2f2071aa9541a

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   214652 4c8b853fc8d8d1a051b56603bf00097d
          Size/MD5:  1641428 6973af76f8bb2a5929aef3289482d5e7
          Size/MD5:  5292550 e77973fb1f983232608649b4d5dbc914
          Size/MD5:   522172 123f32f21cafc7cd26541e9c9a67e055

Updated packages for Ubuntu 9.10:

  Source archives:

          Size/MD5:    63955 a18508ec876180a8e846f7b03c78d402
          Size/MD5:     2022 e3f19b5502835db64d822ff015a6d6fe
          Size/MD5: 12953515 ec6053408251413f6879a80760787405

  Architecture independent packages:

          Size/MD5:    39654 2bf0613392450fedab0f88ac080f9499
          Size/MD5:    99580 caa23d5b01d3e6c42b0e8298b317403b
          Size/MD5:   277908 6990e3250a69277c5489b282e1980788
          Size/MD5:  1233538 5a967b6090f763719d7e0705e71d3beb
          Size/MD5:  1627242 3610e1aff0bffe9a131ebfa6a8ee5131

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:   245266 d554c8d77e81da6ac7cb535e3bc0f7be
          Size/MD5:  1926644 4221b73b17d440539c8be8211912582e
          Size/MD5:  6134880 4a95f9dacf750cc62bd7727955916f90
          Size/MD5:   628590 a1336448a57c34469b2c945ad8a02c41

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:   223298 afa0d6268b5eaafa17f75e196445b1cc
          Size/MD5:  1775262 b477cfb3adce439f7073bd6962309b96
          Size/MD5:  5876934 fe3d1beee2cbeaeb1a7329f17d633c70
          Size/MD5:   575552 e2c4cec2371bcfd700382acc2bda8eb7

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:   223242 6a78f84820556ce6eeeeffd9f6619262
          Size/MD5:  1767022 f82dab677ae7a5a566f2eb82a20b272e
          Size/MD5:  6035042 f871c62d5dc86f0d74b4911e47265c3e
          Size/MD5:   575932 1ffc9a5bcc58fa189545381266b7dc1d

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:   239752 d0bab5eb896e76ffee58316c5a1cb7f6
          Size/MD5:  1918756 87d4c5e88ad5dc6ead249d6ae8b131cb
          Size/MD5:  6261310 e5b11ca11c5a9a55efbed5a364639fdf
          Size/MD5:   609470 82a69d3b134098839c1e95ce0d9f7df4

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:   224548 84c4e0beef5447ec1550bbe58e8da34e
          Size/MD5:  1770836 d7ae8df82edc402abf9c2794b7a07729
          Size/MD5:  5677912 c0e0b23abf27b575258c1ca08581e184
          Size/MD5:   576680 452e2a0e09ad8a965c56b10ff6fcf56e

Ubuntu 886-1: Pidgin vulnerabilities

January 18, 2010
It was discovered that Pidgin did not properly handle certain topic messages in the IRC protocol handler

Summary

Update Instructions

References

Severity
pidgin vulnerabilities

Package Information

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved