MGASA-2013-0058
| Date: | February 21st, 2013 |
| Affected releases: | 2 |
| Media: | Core |
Description:
Updated pidgin packages fix security vulnerabilities:
Remote MXit user could specify local file path in Pidgin before 2.10.7.
The MXit protocol plugin saves an image to local disk using a filename
that could potentially be partially specified by the IM server or by a
remote user (CVE-2013-0271).
MXit buffer overflow reading data from network in Pidgin before 2.10.7.
The code did not respect the size of the buffer when parsing HTTP
headers, and a malicious server or man-in-the-middle could send
specially crafted data that could overflow the buffer. This could
lead to a crash or remote code execution (CVE-2013-0272).
Sametime crash with long user IDs in Pidgin before 2.10.7. libpurple
failed to null-terminate user IDs that were longer than 4096 bytes.
It's plausible that a malicious server could send one of these to us,
which would lead to a crash (CVE-2013-0273).
Crash when receiving a UPnP response with abnormally long values in
Pidgin before 2.10.7. libpurple failed to null-terminate some strings
when parsing the response from a UPnP router. This could lead to a
crash if a malicious user on your network responds with a specially
crafted message (CVE-2013-0274).
Pidgin has been updated to 2.10.7, which fixes these and other issues.
Updated Packages:
i586:
finch-2.10.7-1.1.mga2.i586.rpm
libfinch0-2.10.7-1.1.mga2.i586.rpm
libpurple0-2.10.7-1.1.mga2.i586.rpm
libpurple-devel-2.10.7-1.1.mga2.i586.rpm
pidgin-2.10.7-1.1.mga2.i586.rpm
pidgin-bonjour-2.10.7-1.1.mga2.i586.rpm
pidgin-client-2.10.7-1.1.mga2.i586.rpm
pidgin-i18n-2.10.7-1.1.mga2.noarch.rpm
pidgin-meanwhile-2.10.7-1.1.mga2.i586.rpm
pidgin-perl-2.10.7-1.1.mga2.i586.rpm
pidgin-plugins-2.10.7-1.1.mga2.i586.rpm
pidgin-silc-2.10.7-1.1.mga2.i586.rpm
pidgin-tcl-2.10.7-1.1.mga2.i586.rpm
pidgin-debug-2.10.7-1.1.mga2.i586.rpm
x86_64:
finch-2.10.7-1.1.mga2.x86_64.rpm
lib64finch0-2.10.7-1.1.mga2.x86_64.rpm
lib64purple0-2.10.7-1.1.mga2.x86_64.rpm
lib64purple-devel-2.10.7-1.1.mga2.x86_64.rpm
pidgin-2.10.7-1.1.mga2.x86_64.rpm
pidgin-bonjour-2.10.7-1.1.mga2.x86_64.rpm
pidgin-client-2.10.7-1.1.mga2.x86_64.rpm
pidgin-i18n-2.10.7-1.1.mga2.noarch.rpm
pidgin-meanwhile-2.10.7-1.1.mga2.x86_64.rpm
pidgin-perl-2.10.7-1.1.mga2.x86_64.rpm
pidgin-plugins-2.10.7-1.1.mga2.x86_64.rpm
pidgin-silc-2.10.7-1.1.mga2.x86_64.rpm
pidgin-tcl-2.10.7-1.1.mga2.x86_64.rpm
pidgin-debug-2.10.7-1.1.mga2.x86_64.rpm
SRPMS:
pidgin-2.10.7-1.1.mga2.src.rpm
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274
http://pidgin.im/news/security/?id=65
http://pidgin.im/news/security/?id=66
http://pidgin.im/news/security/?id=67
http://pidgin.im/news/security/?id=68
https://developer.pidgin.im/wiki/ChangeLog
https://bugs.mageia.org/show_bug.cgi?id=9064
