DebianDEBIAN:7CBCBF8C24D8988DB95B28F0FFCF75C8:F574C[Backports-security-announce] Security Update for pidgin
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.176 Low
EPSS
Percentile
95.6%
Gerfried Fuchs uploaded new packages for pidgin which fixed the
following security problems:
CVE-2009-1373
Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin
(formerly Gaim) before 2.5.6 allows remote authenticated users to
execute arbitrary code via vectors involving an outbound XMPP file
transfer.
CVE-2009-1374
Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim)
before 2.5.6 allows remote attackers to cause a denial of service
(application crash) via a QQ packet.
CVE-2009-1375
The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before
2.5.6 does not properly maintain a certain buffer, which allows remote
attackers to cause a denial of service (memory corruption and
application crash) via vectors involving the (1) XMPP or (2) Sametime
protocol.
CVE-2009-1376
Multiple integer overflows in the msn_slplink_process_msg functions in
the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and
(2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim)
before 2.5.6 on 32-bit platforms allow remote attackers to execute
arbitrary code via a malformed SLP message with a crafted offset
value, leading to buffer overflows. NOTE: this issue exists because of
an incomplete fix for CVE-2008-2927.
CVE-2009-1889, Debian Bug #535790
The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets
the ICQWebMessage message type as the ICQSMS message type, which
allows remote attackers to cause a denial of service (application
crash) via a crafted ICQ web message that triggers allocation of a
large amount of memory.
For the lenny-backports distribution the problems (with the exception of
CVE-2009-1889) have been fixed in version 2.4.3-4lenny2.
For the squeeze and sid distributions the problems have been fixed in
version 2.5.8-1.
Upgrade instructions
If you don't use pinning (see [1]) you have to update the packages
manually via "apt-get -t etch-backports install <packagelist>" with the
packagelist of your installed packages affected by this update.
[1] <http://backports.org/dokuwiki/doku.php?id=instructions>
We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:
Package: *
Pin: release a=etch-backports
Pin-Priority: 200
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 6 | all | pidgin | < 2.5.8-1 | pidgin_2.5.8-1_all.deb |
Related
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.176 Low
EPSS
Percentile
95.6%