Home / mailings [USN-1500-1] Pidgin vulnerabilities
Posted on 09 July 2012
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1500-1
July 09, 2012
pidgin vulnerabilities
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
Several security issues were fixed in Pidgin.
Software Description:
- pidgin: graphical multi-protocol instant messaging client for X
Details:
Evgeny Boger discovered that Pidgin incorrectly handled buddy list messages=
in
the AIM and ICQ protocol handlers. A remote attacker could send a specially
crafted message and cause Pidgin to crash, leading to a denial of service. =
This
issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4601)
Thijs Alkemade discovered that Pidgin incorrectly handled malformed voice a=
nd
video chat requests in the XMPP protocol handler. A remote attacker could s=
end
a specially crafted message and cause Pidgin to crash, leading to a denial =
of
service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10.
(CVE-2011-4602)
Diego Bauche Madero discovered that Pidgin incorrectly handled UTF-8
sequences in the SILC protocol handler. A remote attacker could send a
specially crafted message and cause Pidgin to crash, leading to a denial
of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10.
(CVE-2011-4603)
Julia Lawall discovered that Pidgin incorrectly cleared memory contents use=
d in
cryptographic operations. An attacker could exploit this to read the memory
contents, leading to an information disclosure. This issue only affected Ub=
untu
10.04 LTS. (CVE-2011-4922)
Clemens Huebner and Kevin Stange discovered that Pidgin incorrectly handled
nickname changes inside chat rooms in the XMPP protocol handler. A remote
attacker could exploit this by changing nicknames, leading to a denial of
service. This issue only affected Ubuntu 11.10. (CVE-2011-4939)
Thijs Alkemade discovered that Pidgin incorrectly handled off-line instant
messages in the MSN protocol handler. A remote attacker could send a specia=
lly
crafted message and cause Pidgin to crash, leading to a denial of service. =
This
issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2012-1178)
Jos=E9 Valent=EDn Guti=E9rrez discovered that Pidgin incorrectly handled SO=
CKS5 proxy
connections during file transfer requests in the XMPP protocol handler. A
remote attacker could send a specially crafted request and cause Pidgin to
crash, leading to a denial of service. This issue only affected Ubuntu 12.04
LTS and 11.10. (CVE-2012-2214)
Fabian Yamaguchi discovered that Pidgin incorrectly handled malformed messa=
ges
in the MSN protocol handler. A remote attacker could send a specially craft=
ed
message and cause Pidgin to crash, leading to a denial of service.
(CVE-2012-2318)
Ulf H=E4rnhammar discovered that Pidgin incorrectly handled messages with i=
n-line
images in the MXit protocol handler. A remote attacker could send a special=
ly
crafted message and possibly execute arbitrary code with user privileges.
(CVE-2012-3374)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
finch 1:2.10.3-0ubuntu1.1
libpurple0 1:2.10.3-0ubuntu1.1
pidgin 1:2.10.3-0ubuntu1.1
Ubuntu 11.10:
finch 1:2.10.0-0ubuntu2.1
libpurple0 1:2.10.0-0ubuntu2.1
pidgin 1:2.10.0-0ubuntu2.1
Ubuntu 11.04:
finch 1:2.7.11-1ubuntu2.2
libpurple0 1:2.7.11-1ubuntu2.2
pidgin 1:2.7.11-1ubuntu2.2
Ubuntu 10.04 LTS:
finch 1:2.6.6-1ubuntu4.5
libpurple0 1:2.6.6-1ubuntu4.5
pidgin 1:2.6.6-1ubuntu4.5
After a standard system update you need to restart Pidgin to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1500-1
CVE-2011-4601, CVE-2011-4602, CVE-2011-4603, CVE-2011-4922,
CVE-2011-4939, CVE-2012-1178, CVE-2012-2214, CVE-2012-2318,
CVE-2012-3374
Package Information:
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.1
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.0-0ubuntu2.1
https://launchpad.net/ubuntu/+source/pidgin/1:2.7.11-1ubuntu2.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.6.6-1ubuntu4.5
