Mandriva Linux Security Advisory 2011-132 - Multiple vulnerabilities have been identified and fixed in pidgin. It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Various other issues were also addressed.
eaf6bc4bf66d4b776855519d1cbcc90bbe420368f1e1d0834c2cd1a506f8aebf
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:132-1
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pidgin
Date : September 17, 2011
Affected: 2011.
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been identified and fixed in pidgin:
It was found that the gdk-pixbuf GIF image loader routine
gdk_pixbuf__gif_image_load() did not properly handle certain return
values from its subroutines. A remote attacker could provide a
specially-crafted GIF image, which, once opened in Pidgin, would lead
gdk-pixbuf to return a partially initialized pixbuf structure. Using
this structure, possibly containing a huge width and height, could
lead to the application being terminated due to excessive memory use
(CVE-2011-2485).
Certain characters in the nicknames of IRC users can trigger a
null pointer dereference in the IRC protocol plugin's handling of
responses to WHO requests. This can cause a crash on some operating
systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected
(CVE-2011-2943).
Incorrect handling of HTTP 100 responses in the MSN protocol plugin
can cause the application to attempt to access memory that it does
not have access to. This only affects users who have turned on the
HTTP connection method for their accounts (it's off by default). This
might only be triggerable by a malicious server and not a malicious
peer. We believe remote code execution is not possible (CVE-2011-3184).
This update provides pidgin 2.10.0, which is not vulnerable to
these issues.
Update:
Packages for Mandriva Linux 2011 is now being provided as well. Enjoy!
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2943
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3184
http://pidgin.im/news/security/
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2011:
f30d9eb8784ecc490e9267a3afd9681d 2011/i586/finch-2.10.0-0.1-mdv2011.0.i586.rpm
c3cef6e7db660c78a52241d427fe67c6 2011/i586/libfinch0-2.10.0-0.1-mdv2011.0.i586.rpm
b1bda00d68d706954d0a23ff13053bbe 2011/i586/libpurple0-2.10.0-0.1-mdv2011.0.i586.rpm
b1e05edaa2a234697a8618da370a5eba 2011/i586/libpurple-devel-2.10.0-0.1-mdv2011.0.i586.rpm
e8a6321eabf0e88b13a7121e06f88588 2011/i586/pidgin-2.10.0-0.1-mdv2011.0.i586.rpm
df8b6157762c34972b26959e9e0b8670 2011/i586/pidgin-bonjour-2.10.0-0.1-mdv2011.0.i586.rpm
323307becdb33612085c108356de0fe0 2011/i586/pidgin-client-2.10.0-0.1-mdv2011.0.i586.rpm
4ff033d530ce6925dc5c3c9516f0f71e 2011/i586/pidgin-gevolution-2.10.0-0.1-mdv2011.0.i586.rpm
e7282726de99c169675a927ee87e318d 2011/i586/pidgin-i18n-2.10.0-0.1-mdv2011.0.i586.rpm
5b0d0784b39a4fb7fb179e5083a4f0f6 2011/i586/pidgin-meanwhile-2.10.0-0.1-mdv2011.0.i586.rpm
0f3fbed0cdbb0cb9c0d8621d821d34c8 2011/i586/pidgin-perl-2.10.0-0.1-mdv2011.0.i586.rpm
9117f4f6cd51b274ebfe32b8df1355fb 2011/i586/pidgin-plugins-2.10.0-0.1-mdv2011.0.i586.rpm
da47178daab129eac1b2d334330ebe9b 2011/i586/pidgin-silc-2.10.0-0.1-mdv2011.0.i586.rpm
c694a44d5051390026fa75b7b71ad0a8 2011/i586/pidgin-tcl-2.10.0-0.1-mdv2011.0.i586.rpm
c33eef6270b588ee33df4ddaa968eab3 2011/SRPMS/pidgin-2.10.0-0.1.src.rpm
Mandriva Linux 2011/X86_64:
7cd751354229ed6dec93d7ec652758f7 2011/x86_64/finch-2.10.0-0.1-mdv2011.0.x86_64.rpm
14af8584523addd64e870ac6deb71bb6 2011/x86_64/lib64finch0-2.10.0-0.1-mdv2011.0.x86_64.rpm
fb55c6c1c349145794147f4e5e855f63 2011/x86_64/lib64purple0-2.10.0-0.1-mdv2011.0.x86_64.rpm
676eea02b713243dd259edac8260eaaf 2011/x86_64/lib64purple-devel-2.10.0-0.1-mdv2011.0.x86_64.rpm
de0cda6937539b552c605bb02547a606 2011/x86_64/pidgin-2.10.0-0.1-mdv2011.0.x86_64.rpm
c50b5acc263a44cfcfde9aba892aefb8 2011/x86_64/pidgin-bonjour-2.10.0-0.1-mdv2011.0.x86_64.rpm
95445621358bebfe246778e3195bd496 2011/x86_64/pidgin-client-2.10.0-0.1-mdv2011.0.x86_64.rpm
d32ef3d0c5f3e030dfe931cc11fcd0e5 2011/x86_64/pidgin-gevolution-2.10.0-0.1-mdv2011.0.x86_64.rpm
65ba1b2ee488d746fa45568d08f1ec6d 2011/x86_64/pidgin-i18n-2.10.0-0.1-mdv2011.0.x86_64.rpm
371e329ab6aa9f90131b37d971bb0520 2011/x86_64/pidgin-meanwhile-2.10.0-0.1-mdv2011.0.x86_64.rpm
2956fd8520f7a92cff7345d85b71f6a3 2011/x86_64/pidgin-perl-2.10.0-0.1-mdv2011.0.x86_64.rpm
11c8e87c57ecbee206b18e94dd2b0e7a 2011/x86_64/pidgin-plugins-2.10.0-0.1-mdv2011.0.x86_64.rpm
e1bf5b177d8f0c2e2107702dc14d55e5 2011/x86_64/pidgin-silc-2.10.0-0.1-mdv2011.0.x86_64.rpm
79fbeed99bac330be3028501122997af 2011/x86_64/pidgin-tcl-2.10.0-0.1-mdv2011.0.x86_64.rpm
c33eef6270b588ee33df4ddaa968eab3 2011/SRPMS/pidgin-2.10.0-0.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOdGhbmqjQ0CJFipgRAoq8AJ9Pbp2Bmq3TX9+DCZ1R6jYxA3E3wACgtpVd
z6JYlgJxgBisXqUFlmviPkc=
=wwem
-----END PGP SIGNATURE-----