-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:183 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pidgin Date : December 10, 2011 Affected: 2010.1, 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in pidgin: When receiving various stanzas related to voice and video chat, the XMPP protocol plugin failed to ensure that the incoming message contained all required fields, and would crash if certain fields were missing. When receiving various messages related to requesting or receiving authorization for adding a buddy to a buddy list, the oscar protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash (CVE-2011-4601). When receiving various incoming messages, the SILC protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash (CVE-2011-3594). This update provides pidgin 2.10.1, which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4601 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3594 http://www.pidgin.im/news/security/ http://pidgin.im/news/security/?id=56 http://pidgin.im/news/security/?id=57 http://pidgin.im/news/security/?id=58 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 5760fb2021c3bcd9a9cc868c4d372ed9 2010.1/i586/finch-2.10.1-0.1mdv2010.2.i586.rpm c3780080c901d37497d05a64ad04861c 2010.1/i586/libfinch0-2.10.1-0.1mdv2010.2.i586.rpm 44dab21da24dc0cbe87aa77cc169284c 2010.1/i586/libpurple0-2.10.1-0.1mdv2010.2.i586.rpm 8a02d670933e11151ed49c836dc8e7fb 2010.1/i586/libpurple-devel-2.10.1-0.1mdv2010.2.i586.rpm e5565acb778b22f18c58d9f58936904d 2010.1/i586/pidgin-2.10.1-0.1mdv2010.2.i586.rpm 8d7dd47702343d6faf2cb8fc37905cb3 2010.1/i586/pidgin-bonjour-2.10.1-0.1mdv2010.2.i586.rpm aee6e7d5b101af04a3d1bb565de1a48f 2010.1/i586/pidgin-client-2.10.1-0.1mdv2010.2.i586.rpm 6d6e5c647e0c88b8aec6044f13e3616c 2010.1/i586/pidgin-gevolution-2.10.1-0.1mdv2010.2.i586.rpm 70b22a04176ec1e5240b4e43722cede3 2010.1/i586/pidgin-i18n-2.10.1-0.1mdv2010.2.i586.rpm 6673de268a4c53b44dae91487944c211 2010.1/i586/pidgin-meanwhile-2.10.1-0.1mdv2010.2.i586.rpm 6862f6fc918cca0d60a162e9c160e452 2010.1/i586/pidgin-perl-2.10.1-0.1mdv2010.2.i586.rpm 754903e35ac3b0e77d2c13e846dbdc41 2010.1/i586/pidgin-plugins-2.10.1-0.1mdv2010.2.i586.rpm 2e16473bc98b8f4dda76b89b44690322 2010.1/i586/pidgin-silc-2.10.1-0.1mdv2010.2.i586.rpm fd8a4eb06e140550966e9d4dd47e8647 2010.1/i586/pidgin-tcl-2.10.1-0.1mdv2010.2.i586.rpm 67da842fb1886685ed1f9d1a2811ca41 2010.1/SRPMS/pidgin-2.10.1-0.1mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 19214e80ad6e07bc8fbd76a770f5fb41 2010.1/x86_64/finch-2.10.1-0.1mdv2010.2.x86_64.rpm b5fc8b19bc3566a9845e44e63ca91cd3 2010.1/x86_64/lib64finch0-2.10.1-0.1mdv2010.2.x86_64.rpm 9465e855935e5f1a1159824ca3529080 2010.1/x86_64/lib64purple0-2.10.1-0.1mdv2010.2.x86_64.rpm 5d8608f39db8a0888c05ebd592dee061 2010.1/x86_64/lib64purple-devel-2.10.1-0.1mdv2010.2.x86_64.rpm 7adaa941cd2bca0445e112f0d2a35f16 2010.1/x86_64/pidgin-2.10.1-0.1mdv2010.2.x86_64.rpm 56a3a11402f7397ba723cf341f7ff73c 2010.1/x86_64/pidgin-bonjour-2.10.1-0.1mdv2010.2.x86_64.rpm e9877b42a24ad67f1c90a959809f543b 2010.1/x86_64/pidgin-client-2.10.1-0.1mdv2010.2.x86_64.rpm 55a597ea9298a7a34ce1c086982eb557 2010.1/x86_64/pidgin-gevolution-2.10.1-0.1mdv2010.2.x86_64.rpm 55461139c45ddb5851336ddcf0e89dab 2010.1/x86_64/pidgin-i18n-2.10.1-0.1mdv2010.2.x86_64.rpm 0a092014c245cf7b258e83308ab12b4a 2010.1/x86_64/pidgin-meanwhile-2.10.1-0.1mdv2010.2.x86_64.rpm 718579ad386213ebd9c73c9a4d2810db 2010.1/x86_64/pidgin-perl-2.10.1-0.1mdv2010.2.x86_64.rpm bb044452a207e7df0ef1eb836c13c432 2010.1/x86_64/pidgin-plugins-2.10.1-0.1mdv2010.2.x86_64.rpm d16a10cd074364d4a9a97e435cfe0b28 2010.1/x86_64/pidgin-silc-2.10.1-0.1mdv2010.2.x86_64.rpm 0b2cdfb643d2efb098c50e708f900f79 2010.1/x86_64/pidgin-tcl-2.10.1-0.1mdv2010.2.x86_64.rpm 67da842fb1886685ed1f9d1a2811ca41 2010.1/SRPMS/pidgin-2.10.1-0.1mdv2010.2.src.rpm Mandriva Linux 2011: 9b78a3cb5192b6b973715a86d5f2a185 2011/i586/finch-2.10.1-0.1-mdv2011.0.i586.rpm 4d883b1daddce33fafe57d9a99463358 2011/i586/libfinch0-2.10.1-0.1-mdv2011.0.i586.rpm 499ca1bc78a3f2df77e88e2703a4a725 2011/i586/libpurple0-2.10.1-0.1-mdv2011.0.i586.rpm b6948cabf0fcd0c3dd104219bf4d529b 2011/i586/libpurple-devel-2.10.1-0.1-mdv2011.0.i586.rpm 0016330f267d2bff69e61713c44699ed 2011/i586/pidgin-2.10.1-0.1-mdv2011.0.i586.rpm 9de78991ff7584e0814f54f2545fae24 2011/i586/pidgin-bonjour-2.10.1-0.1-mdv2011.0.i586.rpm ee2045f1eda4a0183cb77f2a60f39ef2 2011/i586/pidgin-client-2.10.1-0.1-mdv2011.0.i586.rpm 6d079b32b1aaf2beaa3cc82f21c345d4 2011/i586/pidgin-gevolution-2.10.1-0.1-mdv2011.0.i586.rpm e84ffa4bf739acaa10eda992600a6cc9 2011/i586/pidgin-i18n-2.10.1-0.1-mdv2011.0.i586.rpm 35242c70c5cd6cd765fe947a68049496 2011/i586/pidgin-meanwhile-2.10.1-0.1-mdv2011.0.i586.rpm a3c3029ce97ff37d16cea641a7e19af2 2011/i586/pidgin-perl-2.10.1-0.1-mdv2011.0.i586.rpm 62f6cca4f6a7f812c5dd011ce0b83f8c 2011/i586/pidgin-plugins-2.10.1-0.1-mdv2011.0.i586.rpm 6949ebb1e90eedd7abd7aef9cfe1a42b 2011/i586/pidgin-silc-2.10.1-0.1-mdv2011.0.i586.rpm 648df3013f920bda8e8883582558dc63 2011/i586/pidgin-tcl-2.10.1-0.1-mdv2011.0.i586.rpm 5f6cac1bbc7686d563f15c282c3764e4 2011/SRPMS/pidgin-2.10.1-0.1.src.rpm Mandriva Linux 2011/X86_64: 1f1cd638179effa0cd529acb24dd4956 2011/x86_64/finch-2.10.1-0.1-mdv2011.0.x86_64.rpm e9f2ef661e38feecd31acb3972e139a4 2011/x86_64/lib64finch0-2.10.1-0.1-mdv2011.0.x86_64.rpm 316609fbb06b71f5ae9e53cf29fb6b85 2011/x86_64/lib64purple0-2.10.1-0.1-mdv2011.0.x86_64.rpm 65560e62c4289fa654cf81e5e1887d0f 2011/x86_64/lib64purple-devel-2.10.1-0.1-mdv2011.0.x86_64.rpm 97a4c63f7225b6994bf60a01aec4bff6 2011/x86_64/pidgin-2.10.1-0.1-mdv2011.0.x86_64.rpm 2806e8afe7c505a9bdd127297a85eaf5 2011/x86_64/pidgin-bonjour-2.10.1-0.1-mdv2011.0.x86_64.rpm d0af78fbc9b0e946f26f76f77fd5cfe7 2011/x86_64/pidgin-client-2.10.1-0.1-mdv2011.0.x86_64.rpm 1acc288b16a9b84bdd1e9fd214b0d065 2011/x86_64/pidgin-gevolution-2.10.1-0.1-mdv2011.0.x86_64.rpm 2c9ca9d092a29f468300f8b504bf9e7f 2011/x86_64/pidgin-i18n-2.10.1-0.1-mdv2011.0.x86_64.rpm 52b5285287ad5d5cf470322eed2c0f3a 2011/x86_64/pidgin-meanwhile-2.10.1-0.1-mdv2011.0.x86_64.rpm 436f36f77d8e9833ad211019e90fe8d5 2011/x86_64/pidgin-perl-2.10.1-0.1-mdv2011.0.x86_64.rpm 89865ddd8ab4294dd5705be25952d941 2011/x86_64/pidgin-plugins-2.10.1-0.1-mdv2011.0.x86_64.rpm 3593366b028691c04ac9cc1b2e870cd7 2011/x86_64/pidgin-silc-2.10.1-0.1-mdv2011.0.x86_64.rpm 320993baaaf361e84c66bffc9ee3b354 2011/x86_64/pidgin-tcl-2.10.1-0.1-mdv2011.0.x86_64.rpm 5f6cac1bbc7686d563f15c282c3764e4 2011/SRPMS/pidgin-2.10.1-0.1.src.rpm Mandriva Enterprise Server 5: 51615cc64b9336513dd37514a809f48d mes5/i586/finch-2.10.1-0.1mdvmes5.2.i586.rpm 5bd533e95ee376d1d4233b7814652ac3 mes5/i586/libfinch0-2.10.1-0.1mdvmes5.2.i586.rpm 0044d4c87f1f6938a08912cf049e5308 mes5/i586/libpurple0-2.10.1-0.1mdvmes5.2.i586.rpm 8dcd50bf49e30938de5daf041c16ae13 mes5/i586/libpurple-devel-2.10.1-0.1mdvmes5.2.i586.rpm bfe19b9a2eec9969ead2f87967e708b9 mes5/i586/pidgin-2.10.1-0.1mdvmes5.2.i586.rpm f87eef70053e0fde18aafb40d9601596 mes5/i586/pidgin-bonjour-2.10.1-0.1mdvmes5.2.i586.rpm 7aa41129fdc8b4b4b34c64987f48a71a mes5/i586/pidgin-client-2.10.1-0.1mdvmes5.2.i586.rpm b6279f9475d0e65a1c77a05565ae7a9c mes5/i586/pidgin-gevolution-2.10.1-0.1mdvmes5.2.i586.rpm c9ccd27fe610345f12ca6564e005c038 mes5/i586/pidgin-i18n-2.10.1-0.1mdvmes5.2.i586.rpm c4c6546ccfc0323f090508eaca199600 mes5/i586/pidgin-meanwhile-2.10.1-0.1mdvmes5.2.i586.rpm 4b29c77749959ff3fbaf986c2143f57e mes5/i586/pidgin-perl-2.10.1-0.1mdvmes5.2.i586.rpm 807f293353085db54ecc79311ac4771e mes5/i586/pidgin-plugins-2.10.1-0.1mdvmes5.2.i586.rpm ec25f777a62dca92a21aaa7530445508 mes5/i586/pidgin-silc-2.10.1-0.1mdvmes5.2.i586.rpm f133afd3071815af482c56b61cc05dd9 mes5/i586/pidgin-tcl-2.10.1-0.1mdvmes5.2.i586.rpm cf990ab47d35341c1949179e5c855ed4 mes5/SRPMS/pidgin-2.10.1-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: fefbb7e6f80ca220c2552292cb452ef7 mes5/x86_64/finch-2.10.1-0.1mdvmes5.2.x86_64.rpm d2250929e39a5dcada37bc505727ee54 mes5/x86_64/lib64finch0-2.10.1-0.1mdvmes5.2.x86_64.rpm a38a3893f1d1ba7d144fe119bfcc6513 mes5/x86_64/lib64purple0-2.10.1-0.1mdvmes5.2.x86_64.rpm e17c2d0c6f21a82d5949c4f43d16c5e5 mes5/x86_64/lib64purple-devel-2.10.1-0.1mdvmes5.2.x86_64.rpm 685121d901a528c4a8b88243cffae232 mes5/x86_64/pidgin-2.10.1-0.1mdvmes5.2.x86_64.rpm c01a809955a5529cb9c2b4b53e7d3648 mes5/x86_64/pidgin-bonjour-2.10.1-0.1mdvmes5.2.x86_64.rpm 3475de4053f190f75980a86a05b08252 mes5/x86_64/pidgin-client-2.10.1-0.1mdvmes5.2.x86_64.rpm 65d3ee299e581feca548a31190d881c9 mes5/x86_64/pidgin-gevolution-2.10.1-0.1mdvmes5.2.x86_64.rpm 390290a323fc4a43349ee8e306b6ece7 mes5/x86_64/pidgin-i18n-2.10.1-0.1mdvmes5.2.x86_64.rpm 0a565363b5a71527f4a187a49c8f36a8 mes5/x86_64/pidgin-meanwhile-2.10.1-0.1mdvmes5.2.x86_64.rpm 8bca72bb09b8aaba4b0dae20f7ef9461 mes5/x86_64/pidgin-perl-2.10.1-0.1mdvmes5.2.x86_64.rpm 42b9bb53533492aa48136e8f3e7fe208 mes5/x86_64/pidgin-plugins-2.10.1-0.1mdvmes5.2.x86_64.rpm 641a10bd606b298bd6eaf8697e1a8a82 mes5/x86_64/pidgin-silc-2.10.1-0.1mdvmes5.2.x86_64.rpm f346af0db7fe52d03c475a44600228f2 mes5/x86_64/pidgin-tcl-2.10.1-0.1mdvmes5.2.x86_64.rpm cf990ab47d35341c1949179e5c855ed4 mes5/SRPMS/pidgin-2.10.1-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFO48eXmqjQ0CJFipgRAi1zAJ9XZyr4ewcx6I07V7lmlYNcx4Op+gCdF0nv qxwMoDXEu1edILl3CkSnFvQ= =Bho6 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/