Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.1234
Pidgin remote denial of service
13 December 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Pidgin
Publisher: Mandriva
Operating System: Mandriva Linux
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4601 CVE-2011-3594
Comment: This advisory references vulnerabilities in products which run on
platforms other than Mandriva. It is recommended that administrators
running Pidgin check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:183
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pidgin
Date : December 10, 2011
Affected: 2010.1, 2011., Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in pidgin:
When receiving various stanzas related to voice and video chat,
the XMPP protocol plugin failed to ensure that the incoming message
contained all required fields, and would crash if certain fields
were missing.
When receiving various messages related to requesting or receiving
authorization for adding a buddy to a buddy list, the oscar protocol
plugin failed to validate that a piece of text was UTF-8. In some
cases invalid UTF-8 data would lead to a crash (CVE-2011-4601).
When receiving various incoming messages, the SILC protocol plugin
failed to validate that a piece of text was UTF-8. In some cases
invalid UTF-8 data would lead to a crash (CVE-2011-3594).
This update provides pidgin 2.10.1, which is not vulnerable to
these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3594
http://www.pidgin.im/news/security/
http://pidgin.im/news/security/?id=56
http://pidgin.im/news/security/?id=57
http://pidgin.im/news/security/?id=58
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
5760fb2021c3bcd9a9cc868c4d372ed9 2010.1/i586/finch-2.10.1-0.1mdv2010.2.i586.rpm
c3780080c901d37497d05a64ad04861c 2010.1/i586/libfinch0-2.10.1-0.1mdv2010.2.i586.rpm
44dab21da24dc0cbe87aa77cc169284c 2010.1/i586/libpurple0-2.10.1-0.1mdv2010.2.i586.rpm
8a02d670933e11151ed49c836dc8e7fb 2010.1/i586/libpurple-devel-2.10.1-0.1mdv2010.2.i586.rpm
e5565acb778b22f18c58d9f58936904d 2010.1/i586/pidgin-2.10.1-0.1mdv2010.2.i586.rpm
8d7dd47702343d6faf2cb8fc37905cb3 2010.1/i586/pidgin-bonjour-2.10.1-0.1mdv2010.2.i586.rpm
aee6e7d5b101af04a3d1bb565de1a48f 2010.1/i586/pidgin-client-2.10.1-0.1mdv2010.2.i586.rpm
6d6e5c647e0c88b8aec6044f13e3616c 2010.1/i586/pidgin-gevolution-2.10.1-0.1mdv2010.2.i586.rpm
70b22a04176ec1e5240b4e43722cede3 2010.1/i586/pidgin-i18n-2.10.1-0.1mdv2010.2.i586.rpm
6673de268a4c53b44dae91487944c211 2010.1/i586/pidgin-meanwhile-2.10.1-0.1mdv2010.2.i586.rpm
6862f6fc918cca0d60a162e9c160e452 2010.1/i586/pidgin-perl-2.10.1-0.1mdv2010.2.i586.rpm
754903e35ac3b0e77d2c13e846dbdc41 2010.1/i586/pidgin-plugins-2.10.1-0.1mdv2010.2.i586.rpm
2e16473bc98b8f4dda76b89b44690322 2010.1/i586/pidgin-silc-2.10.1-0.1mdv2010.2.i586.rpm
fd8a4eb06e140550966e9d4dd47e8647 2010.1/i586/pidgin-tcl-2.10.1-0.1mdv2010.2.i586.rpm
67da842fb1886685ed1f9d1a2811ca41 2010.1/SRPMS/pidgin-2.10.1-0.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
19214e80ad6e07bc8fbd76a770f5fb41 2010.1/x86_64/finch-2.10.1-0.1mdv2010.2.x86_64.rpm
b5fc8b19bc3566a9845e44e63ca91cd3 2010.1/x86_64/lib64finch0-2.10.1-0.1mdv2010.2.x86_64.rpm
9465e855935e5f1a1159824ca3529080 2010.1/x86_64/lib64purple0-2.10.1-0.1mdv2010.2.x86_64.rpm
5d8608f39db8a0888c05ebd592dee061 2010.1/x86_64/lib64purple-devel-2.10.1-0.1mdv2010.2.x86_64.rpm
7adaa941cd2bca0445e112f0d2a35f16 2010.1/x86_64/pidgin-2.10.1-0.1mdv2010.2.x86_64.rpm
56a3a11402f7397ba723cf341f7ff73c 2010.1/x86_64/pidgin-bonjour-2.10.1-0.1mdv2010.2.x86_64.rpm
e9877b42a24ad67f1c90a959809f543b 2010.1/x86_64/pidgin-client-2.10.1-0.1mdv2010.2.x86_64.rpm
55a597ea9298a7a34ce1c086982eb557 2010.1/x86_64/pidgin-gevolution-2.10.1-0.1mdv2010.2.x86_64.rpm
55461139c45ddb5851336ddcf0e89dab 2010.1/x86_64/pidgin-i18n-2.10.1-0.1mdv2010.2.x86_64.rpm
0a092014c245cf7b258e83308ab12b4a 2010.1/x86_64/pidgin-meanwhile-2.10.1-0.1mdv2010.2.x86_64.rpm
718579ad386213ebd9c73c9a4d2810db 2010.1/x86_64/pidgin-perl-2.10.1-0.1mdv2010.2.x86_64.rpm
bb044452a207e7df0ef1eb836c13c432 2010.1/x86_64/pidgin-plugins-2.10.1-0.1mdv2010.2.x86_64.rpm
d16a10cd074364d4a9a97e435cfe0b28 2010.1/x86_64/pidgin-silc-2.10.1-0.1mdv2010.2.x86_64.rpm
0b2cdfb643d2efb098c50e708f900f79 2010.1/x86_64/pidgin-tcl-2.10.1-0.1mdv2010.2.x86_64.rpm
67da842fb1886685ed1f9d1a2811ca41 2010.1/SRPMS/pidgin-2.10.1-0.1mdv2010.2.src.rpm
Mandriva Linux 2011:
9b78a3cb5192b6b973715a86d5f2a185 2011/i586/finch-2.10.1-0.1-mdv2011.0.i586.rpm
4d883b1daddce33fafe57d9a99463358 2011/i586/libfinch0-2.10.1-0.1-mdv2011.0.i586.rpm
499ca1bc78a3f2df77e88e2703a4a725 2011/i586/libpurple0-2.10.1-0.1-mdv2011.0.i586.rpm
b6948cabf0fcd0c3dd104219bf4d529b 2011/i586/libpurple-devel-2.10.1-0.1-mdv2011.0.i586.rpm
0016330f267d2bff69e61713c44699ed 2011/i586/pidgin-2.10.1-0.1-mdv2011.0.i586.rpm
9de78991ff7584e0814f54f2545fae24 2011/i586/pidgin-bonjour-2.10.1-0.1-mdv2011.0.i586.rpm
ee2045f1eda4a0183cb77f2a60f39ef2 2011/i586/pidgin-client-2.10.1-0.1-mdv2011.0.i586.rpm
6d079b32b1aaf2beaa3cc82f21c345d4 2011/i586/pidgin-gevolution-2.10.1-0.1-mdv2011.0.i586.rpm
e84ffa4bf739acaa10eda992600a6cc9 2011/i586/pidgin-i18n-2.10.1-0.1-mdv2011.0.i586.rpm
35242c70c5cd6cd765fe947a68049496 2011/i586/pidgin-meanwhile-2.10.1-0.1-mdv2011.0.i586.rpm
a3c3029ce97ff37d16cea641a7e19af2 2011/i586/pidgin-perl-2.10.1-0.1-mdv2011.0.i586.rpm
62f6cca4f6a7f812c5dd011ce0b83f8c 2011/i586/pidgin-plugins-2.10.1-0.1-mdv2011.0.i586.rpm
6949ebb1e90eedd7abd7aef9cfe1a42b 2011/i586/pidgin-silc-2.10.1-0.1-mdv2011.0.i586.rpm
648df3013f920bda8e8883582558dc63 2011/i586/pidgin-tcl-2.10.1-0.1-mdv2011.0.i586.rpm
5f6cac1bbc7686d563f15c282c3764e4 2011/SRPMS/pidgin-2.10.1-0.1.src.rpm
Mandriva Linux 2011/X86_64:
1f1cd638179effa0cd529acb24dd4956 2011/x86_64/finch-2.10.1-0.1-mdv2011.0.x86_64.rpm
e9f2ef661e38feecd31acb3972e139a4 2011/x86_64/lib64finch0-2.10.1-0.1-mdv2011.0.x86_64.rpm
316609fbb06b71f5ae9e53cf29fb6b85 2011/x86_64/lib64purple0-2.10.1-0.1-mdv2011.0.x86_64.rpm
65560e62c4289fa654cf81e5e1887d0f 2011/x86_64/lib64purple-devel-2.10.1-0.1-mdv2011.0.x86_64.rpm
97a4c63f7225b6994bf60a01aec4bff6 2011/x86_64/pidgin-2.10.1-0.1-mdv2011.0.x86_64.rpm
2806e8afe7c505a9bdd127297a85eaf5 2011/x86_64/pidgin-bonjour-2.10.1-0.1-mdv2011.0.x86_64.rpm
d0af78fbc9b0e946f26f76f77fd5cfe7 2011/x86_64/pidgin-client-2.10.1-0.1-mdv2011.0.x86_64.rpm
1acc288b16a9b84bdd1e9fd214b0d065 2011/x86_64/pidgin-gevolution-2.10.1-0.1-mdv2011.0.x86_64.rpm
2c9ca9d092a29f468300f8b504bf9e7f 2011/x86_64/pidgin-i18n-2.10.1-0.1-mdv2011.0.x86_64.rpm
52b5285287ad5d5cf470322eed2c0f3a 2011/x86_64/pidgin-meanwhile-2.10.1-0.1-mdv2011.0.x86_64.rpm
436f36f77d8e9833ad211019e90fe8d5 2011/x86_64/pidgin-perl-2.10.1-0.1-mdv2011.0.x86_64.rpm
89865ddd8ab4294dd5705be25952d941 2011/x86_64/pidgin-plugins-2.10.1-0.1-mdv2011.0.x86_64.rpm
3593366b028691c04ac9cc1b2e870cd7 2011/x86_64/pidgin-silc-2.10.1-0.1-mdv2011.0.x86_64.rpm
320993baaaf361e84c66bffc9ee3b354 2011/x86_64/pidgin-tcl-2.10.1-0.1-mdv2011.0.x86_64.rpm
5f6cac1bbc7686d563f15c282c3764e4 2011/SRPMS/pidgin-2.10.1-0.1.src.rpm
Mandriva Enterprise Server 5:
51615cc64b9336513dd37514a809f48d mes5/i586/finch-2.10.1-0.1mdvmes5.2.i586.rpm
5bd533e95ee376d1d4233b7814652ac3 mes5/i586/libfinch0-2.10.1-0.1mdvmes5.2.i586.rpm
0044d4c87f1f6938a08912cf049e5308 mes5/i586/libpurple0-2.10.1-0.1mdvmes5.2.i586.rpm
8dcd50bf49e30938de5daf041c16ae13 mes5/i586/libpurple-devel-2.10.1-0.1mdvmes5.2.i586.rpm
bfe19b9a2eec9969ead2f87967e708b9 mes5/i586/pidgin-2.10.1-0.1mdvmes5.2.i586.rpm
f87eef70053e0fde18aafb40d9601596 mes5/i586/pidgin-bonjour-2.10.1-0.1mdvmes5.2.i586.rpm
7aa41129fdc8b4b4b34c64987f48a71a mes5/i586/pidgin-client-2.10.1-0.1mdvmes5.2.i586.rpm
b6279f9475d0e65a1c77a05565ae7a9c mes5/i586/pidgin-gevolution-2.10.1-0.1mdvmes5.2.i586.rpm
c9ccd27fe610345f12ca6564e005c038 mes5/i586/pidgin-i18n-2.10.1-0.1mdvmes5.2.i586.rpm
c4c6546ccfc0323f090508eaca199600 mes5/i586/pidgin-meanwhile-2.10.1-0.1mdvmes5.2.i586.rpm
4b29c77749959ff3fbaf986c2143f57e mes5/i586/pidgin-perl-2.10.1-0.1mdvmes5.2.i586.rpm
807f293353085db54ecc79311ac4771e mes5/i586/pidgin-plugins-2.10.1-0.1mdvmes5.2.i586.rpm
ec25f777a62dca92a21aaa7530445508 mes5/i586/pidgin-silc-2.10.1-0.1mdvmes5.2.i586.rpm
f133afd3071815af482c56b61cc05dd9 mes5/i586/pidgin-tcl-2.10.1-0.1mdvmes5.2.i586.rpm
cf990ab47d35341c1949179e5c855ed4 mes5/SRPMS/pidgin-2.10.1-0.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
fefbb7e6f80ca220c2552292cb452ef7 mes5/x86_64/finch-2.10.1-0.1mdvmes5.2.x86_64.rpm
d2250929e39a5dcada37bc505727ee54 mes5/x86_64/lib64finch0-2.10.1-0.1mdvmes5.2.x86_64.rpm
a38a3893f1d1ba7d144fe119bfcc6513 mes5/x86_64/lib64purple0-2.10.1-0.1mdvmes5.2.x86_64.rpm
e17c2d0c6f21a82d5949c4f43d16c5e5 mes5/x86_64/lib64purple-devel-2.10.1-0.1mdvmes5.2.x86_64.rpm
685121d901a528c4a8b88243cffae232 mes5/x86_64/pidgin-2.10.1-0.1mdvmes5.2.x86_64.rpm
c01a809955a5529cb9c2b4b53e7d3648 mes5/x86_64/pidgin-bonjour-2.10.1-0.1mdvmes5.2.x86_64.rpm
3475de4053f190f75980a86a05b08252 mes5/x86_64/pidgin-client-2.10.1-0.1mdvmes5.2.x86_64.rpm
65d3ee299e581feca548a31190d881c9 mes5/x86_64/pidgin-gevolution-2.10.1-0.1mdvmes5.2.x86_64.rpm
390290a323fc4a43349ee8e306b6ece7 mes5/x86_64/pidgin-i18n-2.10.1-0.1mdvmes5.2.x86_64.rpm
0a565363b5a71527f4a187a49c8f36a8 mes5/x86_64/pidgin-meanwhile-2.10.1-0.1mdvmes5.2.x86_64.rpm
8bca72bb09b8aaba4b0dae20f7ef9461 mes5/x86_64/pidgin-perl-2.10.1-0.1mdvmes5.2.x86_64.rpm
42b9bb53533492aa48136e8f3e7fe208 mes5/x86_64/pidgin-plugins-2.10.1-0.1mdvmes5.2.x86_64.rpm
641a10bd606b298bd6eaf8697e1a8a82 mes5/x86_64/pidgin-silc-2.10.1-0.1mdvmes5.2.x86_64.rpm
f346af0db7fe52d03c475a44600228f2 mes5/x86_64/pidgin-tcl-2.10.1-0.1mdvmes5.2.x86_64.rpm
cf990ab47d35341c1949179e5c855ed4 mes5/SRPMS/pidgin-2.10.1-0.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFO48eXmqjQ0CJFipgRAi1zAJ9XZyr4ewcx6I07V7lmlYNcx4Op+gCdF0nv
qxwMoDXEu1edILl3CkSnFvQ=
=Bho6
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTuaaVe4yVqjM2NGpAQK+tw/+Pqg1AK/EgyYCiSy3T1L2MFHTld+4oCx5
v6Y7pBUje8O1zLKgoIoM5MoN1qEL/ELMeI864nY10Nb7xCtrjsjxB0GfcmENeia5
D9JiVKnl3sFogx4wt/y+kaTL3qgKvC/HGCDqaZHN3eNMoY6Z5hRvArTzyo99dEJP
LPw1ewQD3cIlpsdsb+wcsO2bbt8KCdsH3qB1VqWNPpWEQXt5sPsi6dAbvyb0NiSx
Wy8XVB18XH0m7MOzNF0ui1oMdLUjzsutQhNS+EZYu+Jbju2D5o3M+k90S2x4l8hV
5jkZcNWz5MRR4A6JbGr8wsq8Su8PuJFmTZKBHiuPOlG7Xh3GD6JPnzB10GZX5QFX
brW5fXMp049K0ZmrN1py1Hb/GK26r1dgZKYXGHQBr0N7meevzv//+9CXmegfDqrR
5wDGNw0bunCzG1Hyh0rbUHHdBKLD346AmpgyZwdI2O7usXG60SCYx+laDr/0m6bV
GPjJeuLmcpOJo79GUViu0FsY+BPsgVQiQsfvugd+ddezRxlGHYEfmHp/fE4GVGDY
iW8vPADkML1Q/kIn+gIW8/bKDRVBRv+O0YhAOZgRrTrzDpTuJmKaGKWAce5OHo9o
GAuSVoBDWtdGpf58x+Ubj3yNNuDdAez9XBlsFMmOopA1NnnE80pEePF81gg59KxG
LjPF5uuLjBE=
=YgT0
-----END PGP SIGNATURE-----