Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.1206
New pidgin packages fix arbitrary code execution
20 August 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: pidgin
Publisher: Debian
Operating System: Debian GNU/Linux 5
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-2694
Reference: ESB-2009.1197
Original Bulletin:
http://www.debian.org/security/2009/dsa-1870
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA-1870-1 security@debian.org
http://www.debian.org/security/ Nico Golde
August 19th, 2009 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : pidgin
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2694
Federico Muttis discovered that libpurple, the shared library that adds
support for various instant messaging networks to the pidgin IM client, is
vulnerable to a heap-based buffer overflow. This issue exists because of
an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can
exploit this by sending two consecutive SLP packets to a victim via MSN.
The first packet is used to create an SLP message object with an offset of
zero, the second packet then contains a crafted offset which hits the
vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and
allows an attacker to execute arbitrary code.
Note: Users with the "Allow only the users below" setting are not vulnerable
to this attack. If you can't install the below updates you may want to
set this via Tools->Privacy.
For the stable distribution (lenny), this problem has been fixed in
version 2.4.3-4lenny3.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 2.5.9-1.
We recommend that you upgrade your pidgin packages.
Upgrade instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- - --------------------------------
Debian (stable)
- - ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz
Size/MD5 checksum: 13123610 d0e0bd218fbc67df8b2eca2f21fcd427
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.dsc
Size/MD5 checksum: 1784 e9bc246ba4f0ca8dab1436d66bd00adb
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.diff.gz
Size/MD5 checksum: 67928 545981a43e8c1b905ea1adb0da9b1b4d
Architecture independent packages:
http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 133552 d4adb0ff7da09da14d34f3ae9484ea94
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 7018488 09b2f817c71774e2108b4366602f5dcf
http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 276890 dab9b30c46f9a2c03af02d381cb029cf
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 354146 291a984ea00f92d67a3d0b99040d7d72
http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 159388 f73823fb36f1d0487cc29d0d71a7a471
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_alpha.deb
Size/MD5 checksum: 369628 cd01f407199d1ca84f2502c4f4d169db
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_alpha.deb
Size/MD5 checksum: 779192 fdb6b047a48f3c255fa13a329dc5fc35
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_alpha.deb
Size/MD5 checksum: 5545960 fe294dfeb4dd7ca7ff6e5636230c856c
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_alpha.deb
Size/MD5 checksum: 1803004 81ef9e0af747f0b236b25b1407d38266
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_amd64.deb
Size/MD5 checksum: 345894 4b31436a96b5834d8ebe3639b837093d
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_amd64.deb
Size/MD5 checksum: 5668550 58b27242ababd545a49b080527cd8769
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_amd64.deb
Size/MD5 checksum: 722220 e249e5fb7581ec28a0f4e0a32fab3d2c
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_amd64.deb
Size/MD5 checksum: 1706142 2f1f823ff5c26eb1cc67874633a6891d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_arm.deb
Size/MD5 checksum: 315182 d935ef53df9f333d0b2eb8d38e2bb753
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_arm.deb
Size/MD5 checksum: 655088 8631310cc8beb7902fef81b51af01fd8
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_arm.deb
Size/MD5 checksum: 1490226 cfe0d6727f4a9aa671a3413817fb11ae
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_arm.deb
Size/MD5 checksum: 5348504 d1ef7ddf61f0e44f46c646e4f4add280
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_armel.deb
Size/MD5 checksum: 5386792 c5d2643ba6bc47aa41de04b870bbca3d
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_armel.deb
Size/MD5 checksum: 666444 507fd3b558360b054d67843f3dba2689
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_armel.deb
Size/MD5 checksum: 318828 fcaea331f126eb2329bf54d0c8df7269
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_armel.deb
Size/MD5 checksum: 1496868 1ac8d58c00019b1b0a3d742d4a02d074
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_hppa.deb
Size/MD5 checksum: 361112 366c71f9035322402a6c0bae4fe4d8a0
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_hppa.deb
Size/MD5 checksum: 5489632 53fed112a1e8642c0f682fc29f361a4a
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_hppa.deb
Size/MD5 checksum: 1827630 14a3a37c121b1e13c031f8894c5f4f64
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_hppa.deb
Size/MD5 checksum: 753796 d50a7d1ba32773f791872bce6305b92c
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_i386.deb
Size/MD5 checksum: 1584144 54aeb3d38dd0cae7e486dab84a82cbb8
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_i386.deb
Size/MD5 checksum: 680948 8144b0b957e103cedd0a617e37a3feae
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_i386.deb
Size/MD5 checksum: 326656 4d75eb89954a304b036d5f14e751f72a
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_i386.deb
Size/MD5 checksum: 5374132 2640104cb54145afda5a685607a1e74c
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_ia64.deb
Size/MD5 checksum: 5223582 02aa16c2f23681d9123f0fe35e3414fd
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_ia64.deb
Size/MD5 checksum: 434672 fcc166e5359603ec5a02953f36b30e33
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_ia64.deb
Size/MD5 checksum: 948114 38eb5dfe87ba4ffa01ace8cf7db745c4
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_ia64.deb
Size/MD5 checksum: 2194278 82db59131767124c1cef53a9ef03de9e
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_mips.deb
Size/MD5 checksum: 5655702 d2694b5874bccdc4bde1a2debf2f1ad7
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_mips.deb
Size/MD5 checksum: 653944 c39d08c1fe964baa5c1ff533432f7c4d
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_mips.deb
Size/MD5 checksum: 1373212 9673d5480375e78dae3741b32615e112
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_mips.deb
Size/MD5 checksum: 318262 aaff22798d1a88aa2d2e04b24b9a7932
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_powerpc.deb
Size/MD5 checksum: 5579128 be3d6412d3c5f41344f2b6a5a8f39bfe
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_powerpc.deb
Size/MD5 checksum: 753872 81133dbb351067d2d3ef6bbc136c106f
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_powerpc.deb
Size/MD5 checksum: 1760422 379017e7d47927678f6b404aa4d12936
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_powerpc.deb
Size/MD5 checksum: 362944 f0cc1dea3b629fb34549d228599bd567
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqMfNcACgkQHYflSXNkfP9w/QCfTs2ujTde2gHf/EgQAqpQsMKZ
zEsAnjFX6Klxk/soKTyNP5ckmvF8ivMp
=WcnE
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFKjJsRNVH5XJJInbgRAvEgAJ0bhM8p5WMRgea3QOCw/b6zUHhTUQCfY1xb
LiRKEnftmb3bW5lzO3aU2h8=
=16h3
-----END PGP SIGNATURE-----