|
|
Subscribe / Log in / New account

Pardus alert 2010-34 (pidgin)



From:
    	      Eren Turkay <eren@pardus.org.tr> 


To:
    	      pardus-security@pardus.org.tr 


Subject:
    	      [Pardus-security] [PLSA 2010-34] Pidgin: Multiple Vulnerabilities 


Date:
    	      Thu, 25 Feb 2010 06:47:55 +0200 (EET)


Message-ID:
    	      <20100225044755.3E0DCA7AB4C@lider.pardus.org.tr>



------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-34            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-02-25
  Severity: 3
      Type: Remote
------------------------------------------------------------------------

Summary
=======

Multiple vulnerabilities have been fixed in Pidgin, which can be used by
malicious people to cause denial of service. 


Description
===========

CVE-2010-0420 - "Finch XMPP MUC Crash": 

Discovered by Sadrul Habib Chowdhury last week.  In  an  XMPP  MUC,  if 
someone changes the nick to '<br>' (using '/nick <br>' for example), 

then libpurple ends up having two users with username '\n' in the room, 
and finch crashes in this situation. We do not believe there is 

a possibility of remote code execution. I believe this commit fixes the 
problem, and there is a patch attached 

to     add an      extra      safety      check      to      Finch:     
http://developer.pidgin.im/viewmtn/revision/info/0085c32a... 



CVE-2010-0423 - "Smiley Denial of Service": 

Pidgin becomes unresponsive and consumes lots of CPU when receiving  an 
IM containing many smileys. This is a remote denial of service 

attack, but is not exploitable in any other way. It was reported to  us 
by Andrea Barisani of ocert. I did revise the previous patch 



Affected packages:

  Pardus 2009:
    pidgin, all before 2.6.6-38-12


Resolution
==========

There are update(s) for pidgin. You can update them via Package Manager 
or with a single command from console: 

    pisi up pidgin

References
==========

  * http://bugs.pardus.org.tr/show_bug.cgi?id=12323
  * http://developer.pidgin.im/wiki/ChangeLog
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420
  * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423

------------------------------------------------------------------------

_______________________________________________
Pardus-security mailing list
Pardus-security@pardus.org.tr
http://liste.pardus.org.tr/mailman/listinfo/pardus-security
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds