[SECURITY] [DSA 1870-1] New pidgin packages fix arbitrary code execution

2009-08-19T22:33:52
ID DEBIAN:DSA-1870-1:14B64
Type debian
Reporter Debian
Modified 2009-08-19T22:33:52

Description


Debian Security Advisory DSA-1870-1 security@debian.org http://www.debian.org/security/ Nico Golde August 19th, 2009 http://www.debian.org/security/faq


Package : pidgin Vulnerability : insufficient input validation Problem type : remote Debian-specific: no CVE ID : CVE-2009-2694

Federico Muttis discovered that libpurple, the shared library that adds support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer overflow. This issue exists because of an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can exploit this by sending two consecutive SLP packets to a victim via MSN.

The first packet is used to create an SLP message object with an offset of zero, the second packet then contains a crafted offset which hits the vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and allows an attacker to execute arbitrary code.

Note: Users with the "Allow only the users below" setting are not vulnerable to this attack. If you can't install the below updates you may want to set this via Tools->Privacy.

For the stable distribution (lenny), this problem has been fixed in version 2.4.3-4lenny3.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 2.5.9-1.

We recommend that you upgrade your pidgin packages.

Upgrade instructions


wget url will fetch the file for you dpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update will update the internal database apt-get upgrade will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny


Debian (stable)


Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz Size/MD5 checksum: 13123610 d0e0bd218fbc67df8b2eca2f21fcd427 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.dsc Size/MD5 checksum: 1784 e9bc246ba4f0ca8dab1436d66bd00adb http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.diff.gz Size/MD5 checksum: 67928 545981a43e8c1b905ea1adb0da9b1b4d

Architecture independent packages:

http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny3_all.deb Size/MD5 checksum: 133552 d4adb0ff7da09da14d34f3ae9484ea94 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny3_all.deb Size/MD5 checksum: 7018488 09b2f817c71774e2108b4366602f5dcf http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny3_all.deb Size/MD5 checksum: 276890 dab9b30c46f9a2c03af02d381cb029cf http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny3_all.deb Size/MD5 checksum: 354146 291a984ea00f92d67a3d0b99040d7d72 http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny3_all.deb Size/MD5 checksum: 159388 f73823fb36f1d0487cc29d0d71a7a471

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_alpha.deb Size/MD5 checksum: 369628 cd01f407199d1ca84f2502c4f4d169db http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_alpha.deb Size/MD5 checksum: 779192 fdb6b047a48f3c255fa13a329dc5fc35 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_alpha.deb Size/MD5 checksum: 5545960 fe294dfeb4dd7ca7ff6e5636230c856c http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_alpha.deb Size/MD5 checksum: 1803004 81ef9e0af747f0b236b25b1407d38266

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_amd64.deb Size/MD5 checksum: 345894 4b31436a96b5834d8ebe3639b837093d http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_amd64.deb Size/MD5 checksum: 5668550 58b27242ababd545a49b080527cd8769 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_amd64.deb Size/MD5 checksum: 722220 e249e5fb7581ec28a0f4e0a32fab3d2c http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_amd64.deb Size/MD5 checksum: 1706142 2f1f823ff5c26eb1cc67874633a6891d

arm architecture (ARM)

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_arm.deb Size/MD5 checksum: 315182 d935ef53df9f333d0b2eb8d38e2bb753 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_arm.deb Size/MD5 checksum: 655088 8631310cc8beb7902fef81b51af01fd8 http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_arm.deb Size/MD5 checksum: 1490226 cfe0d6727f4a9aa671a3413817fb11ae http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_arm.deb Size/MD5 checksum: 5348504 d1ef7ddf61f0e44f46c646e4f4add280

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_armel.deb Size/MD5 checksum: 5386792 c5d2643ba6bc47aa41de04b870bbca3d http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_armel.deb Size/MD5 checksum: 666444 507fd3b558360b054d67843f3dba2689 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_armel.deb Size/MD5 checksum: 318828 fcaea331f126eb2329bf54d0c8df7269 http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_armel.deb Size/MD5 checksum: 1496868 1ac8d58c00019b1b0a3d742d4a02d074

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_hppa.deb Size/MD5 checksum: 361112 366c71f9035322402a6c0bae4fe4d8a0 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_hppa.deb Size/MD5 checksum: 5489632 53fed112a1e8642c0f682fc29f361a4a http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_hppa.deb Size/MD5 checksum: 1827630 14a3a37c121b1e13c031f8894c5f4f64 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_hppa.deb Size/MD5 checksum: 753796 d50a7d1ba32773f791872bce6305b92c

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_i386.deb Size/MD5 checksum: 1584144 54aeb3d38dd0cae7e486dab84a82cbb8 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_i386.deb Size/MD5 checksum: 680948 8144b0b957e103cedd0a617e37a3feae http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_i386.deb Size/MD5 checksum: 326656 4d75eb89954a304b036d5f14e751f72a http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_i386.deb Size/MD5 checksum: 5374132 2640104cb54145afda5a685607a1e74c

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_ia64.deb Size/MD5 checksum: 5223582 02aa16c2f23681d9123f0fe35e3414fd http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_ia64.deb Size/MD5 checksum: 434672 fcc166e5359603ec5a02953f36b30e33 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_ia64.deb Size/MD5 checksum: 948114 38eb5dfe87ba4ffa01ace8cf7db745c4 http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_ia64.deb Size/MD5 checksum: 2194278 82db59131767124c1cef53a9ef03de9e

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_mips.deb Size/MD5 checksum: 5655702 d2694b5874bccdc4bde1a2debf2f1ad7 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_mips.deb Size/MD5 checksum: 653944 c39d08c1fe964baa5c1ff533432f7c4d http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_mips.deb Size/MD5 checksum: 1373212 9673d5480375e78dae3741b32615e112 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_mips.deb Size/MD5 checksum: 318262 aaff22798d1a88aa2d2e04b24b9a7932

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_powerpc.deb Size/MD5 checksum: 5579128 be3d6412d3c5f41344f2b6a5a8f39bfe http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_powerpc.deb Size/MD5 checksum: 753872 81133dbb351067d2d3ef6bbc136c106f http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_powerpc.deb Size/MD5 checksum: 1760422 379017e7d47927678f6b404aa4d12936 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_powerpc.deb Size/MD5 checksum: 362944 f0cc1dea3b629fb34549d228599bd567

These files will probably be moved into the stable distribution on its next update.


For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>