finch, libpurple, pidgin security update

2017-08-24T01:40:35
ID CESA-2017:1854
Type centos
Reporter CentOS Project
Modified 2017-08-24T01:40:35

Description

CentOS Errata and Security Advisory CESA-2017:1854

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

The following packages have been upgraded to a later upstream version: pidgin (2.10.11). (BZ#1369526)

Security Fix(es):

  • A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emoticons. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to crash Pidgin by sending a specially crafted emoticon. (CVE-2014-3695)

  • A denial of service flaw was found in the way Pidgin parsed Groupwise server messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to cause Pidgin to consume an excessive amount of memory, possibly leading to a crash, by sending a specially crafted message. (CVE-2014-3696)

  • An information disclosure flaw was discovered in the way Pidgin parsed XMPP messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to disclose a portion of memory belonging to the Pidgin process by sending a specially crafted XMPP message. (CVE-2014-3698)

  • An out-of-bounds write flaw was found in the way Pidgin processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. (CVE-2017-2640)

  • It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. An attacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin. (CVE-2014-3694)

Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Yves Younan (Cisco Talos) and Richard Johnson (Cisco Talos) as the original reporters of CVE-2014-3695 and CVE-2014-3696; Thijs Alkemade and Paul Aurich as the original reporters of CVE-2014-3698; and Jacob Appelbaum and Moxie Marlinspike as the original reporters of CVE-2014-3694.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-cr-announce/2017-August/004450.html

Affected packages: finch finch-devel libpurple libpurple-devel libpurple-perl libpurple-tcl pidgin pidgin-devel pidgin-perl

Upstream details at: