Referenced CVEs:
CVE-2008-2927, CVE-2008-2955, CVE-2008-2957, CVE-2008-3532
Description:
===========================================================Ubuntu Security Notice USN-675-1 November 24, 2008pidgin vulnerabilitiesCVE-2008-2927, CVE-2008-2955, CVE-2008-2957, CVE-2008-3532===========================================================A security issue affects the following Ubuntu releases:Ubuntu 7.10Ubuntu 8.04 LTSThis advisory also applies to the corresponding versions ofKubuntu, Edubuntu, and Xubuntu.The problem can be corrected by upgrading your system to thefollowing package versions:Ubuntu 7.10: pidgin 1:2.2.1-1ubuntu4.3Ubuntu 8.04 LTS: pidgin 1:2.4.1-1ubuntu2.2After a standard system upgrade you need to restart Pidgin to effectthe necessary changes.Details follow:It was discovered that Pidgin did not properly handle certain malformedmessages in the MSN protocol handler. A remote attacker could send a speciallycrafted message and possibly execute arbitrary code with user privileges.(CVE-2008-2927)It was discovered that Pidgin did not properly handle file transfers containinga long filename and special characters in the MSN protocol handler. A remoteattacker could send a specially crafted filename in a file transfer requestand cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)It was discovered that Pidgin did not impose resource limitations in the UPnPservice. A remote attacker could cause Pidgin to download arbitrary files and cause a denial of service from memory or disk space exhaustion.(CVE-2008-2957)It was discovered that Pidgin did not validate SSL certificates when using asecure connection. If a remote attacker were able to perform aman-in-the-middle attack, this flaw could be exploited to view sensitiveinformation. This update alters Pidgin behaviour by asking users to confirmthe validity of a certificate upon initial login. (CVE-2008-3532)
More...
