Referenced CVEs:
CVE-2008-2955, CVE-2009-1376, CVE-2009-2703, CVE-2009-3026, CVE-2009-3083, CVE-2009-3085, CVE-2009-3615, CVE-2010-0013
Description:
===========================================================Ubuntu Security Notice USN-886-1 January 18, 2010pidgin vulnerabilitiesCVE-2008-2955, CVE-2009-1376, CVE-2009-2703, CVE-2009-3026,CVE-2009-3083, CVE-2009-3085, CVE-2009-3615, CVE-2010-0013===========================================================A security issue affects the following Ubuntu releases:Ubuntu 8.04 LTSUbuntu 8.10Ubuntu 9.04Ubuntu 9.10This advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 8.04 LTS: pidgin 1:2.4.1-1ubuntu2.8Ubuntu 8.10: pidgin 1:2.5.2-0ubuntu1.6Ubuntu 9.04: pidgin 1:2.5.5-1ubuntu8.5Ubuntu 9.10: pidgin 1:2.6.2-1ubuntu7.1After a standard system upgrade you need to restart Pidgin to effectthe necessary changes.Details follow:It was discovered that Pidgin did not properly handle certain topicmessages in the IRC protocol handler. If a user were tricked intoconnecting to a malicious IRC server, an attacker could cause Pidgin tocrash, leading to a denial of service. This issue only affected Ubuntu 8.04LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703)It was discovered that Pidgin did not properly enforce the "requireTLS/SSL" setting when connecting to certain older Jabber servers. If aremote attacker were able to perform a man-in-the-middle attack, this flawcould be exploited to view sensitive information. This issue only affectedUbuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)It was discovered that Pidgin did not properly handle certain SLP invitemessages in the MSN protocol handler. A remote attacker could send aspecially crafted invite message and cause Pidgin to crash, leading to adenial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10and Ubuntu 9.04. (CVE-2009-3083)It was discovered that Pidgin did not properly handle certain errors in theXMPP protocol handler. A remote attacker could send a specially craftedmessage and cause Pidgin to crash, leading to a denial of service. Thisissue only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3085)It was discovered that Pidgin did not properly handle malformedcontact-list data in the OSCAR protocol handler. A remote attacker couldsend specially crafted contact-list data and cause Pidgin to crash, leadingto a denial of service. (CVE-2009-3615)It was discovered that Pidgin did not properly handle custom smileyrequests in the MSN protocol handler. A remote attacker could send aspecially crafted filename in a custom smiley request and obtain arbitraryfiles via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu9.04 and Ubuntu 9.10. (CVE-2010-0013)Pidgin for Ubuntu 8.04 LTS was also updated to fix connection issues withthe MSN protocol.USN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiplesecurity vulnerabilities in Ubuntu 8.04 LTS. The security patches to fixCVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects theproblem. Original advisory details: It was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955) It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376)
More...
