LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 28th, 2014
Linux Advisory Watch: November 21st, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mandriva: 2013:025: pidgin Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Mandrake Multiple vulnerabilities has been discovered and corrected in pidgin: The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname (CVE-2013-0271). [More...]
 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:025
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : March 14, 2013
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in pidgin:
 
 The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might
 allow remote attackers to create or overwrite files via a crafted
 (1) mxit or (2) mxit/imagestrips pathname (CVE-2013-0271).
 
 Buffer overflow in http.c in the MXit protocol plugin in libpurple
 in Pidgin before 2.10.7 allows remote servers to execute arbitrary
 code via a long HTTP header (CVE-2013-0272).
 
 sametime.c in the Sametime protocol plugin in libpurple in Pidgin
 before 2.10.7 does not properly terminate long user IDs, which allows
 remote servers to cause a denial of service (application crash)
 via a crafted packet (CVE-2013-0273).
 
 upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate
 long strings in UPnP responses, which allows remote attackers to
 cause a denial of service (application crash) by leveraging access
 to the local network (CVE-2013-0274).
 
 This update provides pidgin 2.10.7, which is not vulnerable to
 these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274
 http://www.pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 4eb267f970ddb2ad4d62321c269d4a9b  mes5/i586/finch-2.10.7-0.1mdvmes5.2.i586.rpm
 e21539113c76768f5d2e0a0a4a9f6cbc  mes5/i586/libfinch0-2.10.7-0.1mdvmes5.2.i586.rpm
 19fcd2343bc5a28cfac82570047dabc8  mes5/i586/libpurple0-2.10.7-0.1mdvmes5.2.i586.rpm
 1d1ec13029069d2e5670ecd9e5c2c084  mes5/i586/libpurple-devel-2.10.7-0.1mdvmes5.2.i586.rpm
 24f8bc13c74be1366165f8c04d4b67ac  mes5/i586/pidgin-2.10.7-0.1mdvmes5.2.i586.rpm
 fe6749ec8865e5cc96b16ddce0606e25  mes5/i586/pidgin-bonjour-2.10.7-0.1mdvmes5.2.i586.rpm
 76f84decf6d5834037ccf6b9ed4c68d9  mes5/i586/pidgin-client-2.10.7-0.1mdvmes5.2.i586.rpm
 41f63fd40174df1160a63ef44d881c3c  mes5/i586/pidgin-gevolution-2.10.7-0.1mdvmes5.2.i586.rpm
 936c150819cd7e8ac19e5f2d02bb684d  mes5/i586/pidgin-i18n-2.10.7-0.1mdvmes5.2.i586.rpm
 7c1d22d3777f7c49f7d49b09a1d43811  mes5/i586/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.i586.rpm
 ca57564f29f191f3bae55c9ce6255234  mes5/i586/pidgin-perl-2.10.7-0.1mdvmes5.2.i586.rpm
 1882da3624a8dc8e27a51f3c867dbc88  mes5/i586/pidgin-plugins-2.10.7-0.1mdvmes5.2.i586.rpm
 37ee0fe3a08d109f069de07f8a218f27  mes5/i586/pidgin-silc-2.10.7-0.1mdvmes5.2.i586.rpm
 4d8bbdce9ce0e3b1ec663f4df384c70b  mes5/i586/pidgin-tcl-2.10.7-0.1mdvmes5.2.i586.rpm 
 d8390c286670e49deee241267eb5070e  mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 00fb4dc53fd8cbf056d493ca75231d1c  mes5/x86_64/finch-2.10.7-0.1mdvmes5.2.x86_64.rpm
 f0a81cae3067ba8fa47f603af718e1bd  mes5/x86_64/lib64finch0-2.10.7-0.1mdvmes5.2.x86_64.rpm
 d50e2f1821a4912639b20fa678d4538b  mes5/x86_64/lib64purple0-2.10.7-0.1mdvmes5.2.x86_64.rpm
 5a73a3d942a97d581a5b89bfcc550be3  mes5/x86_64/lib64purple-devel-2.10.7-0.1mdvmes5.2.x86_64.rpm
 337ca23774f09a1f6e60d02ba1bdef3f  mes5/x86_64/pidgin-2.10.7-0.1mdvmes5.2.x86_64.rpm
 49d7a34e3af48fbf49d59a8dad1ca3fb  mes5/x86_64/pidgin-bonjour-2.10.7-0.1mdvmes5.2.x86_64.rpm
 53099ab83b0f4351d3668e2f84e6d2fa  mes5/x86_64/pidgin-client-2.10.7-0.1mdvmes5.2.x86_64.rpm
 31dc403c7863624346efaaa46027b3d1  mes5/x86_64/pidgin-gevolution-2.10.7-0.1mdvmes5.2.x86_64.rpm
 1ae8ab836a6caffa77b99fe6e5de31ae  mes5/x86_64/pidgin-i18n-2.10.7-0.1mdvmes5.2.x86_64.rpm
 beea935bc761483e50e5ec60bfeaa2a5  mes5/x86_64/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.x86_64.rpm
 8d6abe0c106b5f9d24917cdad13ef668  mes5/x86_64/pidgin-perl-2.10.7-0.1mdvmes5.2.x86_64.rpm
 616204b1f131bf39fd77758765052286  mes5/x86_64/pidgin-plugins-2.10.7-0.1mdvmes5.2.x86_64.rpm
 60ef462c8b8f28b4280169a6bac8d22f  mes5/x86_64/pidgin-silc-2.10.7-0.1mdvmes5.2.x86_64.rpm
 78026cbae2cfdb327d64ed6b6b3fcc51  mes5/x86_64/pidgin-tcl-2.10.7-0.1mdvmes5.2.x86_64.rpm 
 d8390c286670e49deee241267eb5070e  mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Hacker Lexicon: What Is the Computer Fraud and Abuse Act?
World's best threat detection pwned by HOBBIT
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.