Pardus: 2011-111: pidgin: Multiple Vulnerabilities
Posted by Benjamin D. Thomas   
Multiple vulnerabilities have been fixed in pidgin.
------------------------------------------------------------------------
Pardus Linux Security Advisory 2011-111           security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2011-09-05
      Type: Remote
------------------------------------------------------------------------

Summary
======
Multiple vulnerabilities have been fixed in pidgin.


Description
==========
CVE-2011-3184:

The msn_httpconn_parse_data function in httpconn.c in the MSN  protocol
plugin in libpurple in Pidgin before 2.10.0 does  not  properly  handle
HTTP 100 responses, which allows remote attackers to cause a denial  of
service (incorrect memory access and  application  crash)  via  vectors
involving a crafted server message.



CVE-2011-2943:

The irc_msg_who function in  msgs.c  in  the  IRC  protocol  plugin  in
libpurple 2.8.0 through 2.9.0 in Pidgin before 2.10.0 does not properly
validate characters in nicknames,  which  allows  user-assisted  remote
attackers to cause a denial of service (NULL  pointer  dereference  and
application crash) via a crafted nickname that is not properly  handled
in a WHO response.


Affected packages:

  Pardus 2009:
    pidgin, all before 2.10.0-48-22
  Pardus 2011:
    pidgin, all before 2.7.10-48-p11


Resolution
=========
There are update(s) for pidgin. You can update them via Package Manager
or with a single command from console:

  Pardus 2009:
    pisi up pidgin

  Pardus 2011:
    pisi up pidgin


References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id000
  * http://bugs.pardus.org.tr/show_bug.cgi?id007

------------------------------------------------------------------------