[ GLSA 200901-13 ] Pidgin: Multiple vulnerabilities

[Pierre-Yves Rofes <py () gentoo org>]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200901-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Pidgin: Multiple vulnerabilities
      Date: January 20, 2009
      Bugs: #230045, #234135
        ID: 200901-13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been discovered in Pidgin, allowing for
remote arbitrary code execution, Denial of Service and service
spoofing.

Background
==========

Pidgin (formerly Gaim) is an instant messaging client for a variety of
instant messaging protocols. It is based on the libpurple instant
messaging library.

Affected packages
=================

    -------------------------------------------------------------------
     Package        /  Vulnerable  /                        Unaffected
    -------------------------------------------------------------------
  1  net-im/pidgin       < 2.5.1                              >= 2.5.1

Description
===========

Multiple vulnerabilities have been discovered in Pidgin and the
libpurple library:

* A participant to the TippingPoint ZDI reported multiple integer
  overflows in the msn_slplink_process_msg() function in the MSN
  protocol implementation (CVE-2008-2927).

* Juan Pablo Lopez Yacubian is credited for reporting a
  use-after-free flaw in msn_slplink_process_msg() in the MSN protocol
  implementation (CVE-2008-2955).

* The included UPnP server does not limit the size of data to be
  downloaded for UPnP service discovery, according to a report by
  Andrew Hunt and Christian Grothoff (CVE-2008-2957).

* Josh Triplett discovered that the NSS plugin for libpurple does not
  properly verify SSL certificates (CVE-2008-3532).

Impact
======

A remote attacker could send specially crafted messages or files using
the MSN protocol which could result in the execution of arbitrary code
or crash Pidgin. NOTE: Successful exploitation might require the
victim's interaction. Furthermore, an attacker could conduct
man-in-the-middle attacks to obtain sensitive information using bad
certificates and cause memory and disk resources to exhaust.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Pidgin users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-im/pidgin-2.5.1"

References
==========

  [ 1 ] CVE-2008-2927
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927
  [ 2 ] CVE-2008-2955
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955
  [ 3 ] CVE-2008-2957
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957
  [ 4 ] CVE-2008-3532
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200901-13.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Attachment: signature.asc
Description: OpenPGP digital signature