USN-886-1: Pidgin vulnerabilities

Releases

• Ubuntu 9.10
• Ubuntu 9.04
• Ubuntu 8.10
• Ubuntu 8.04

Packages

• pidgin -

Details

It was discovered that Pidgin did not properly handle certain topic
messages in the IRC protocol handler. If a user were tricked into
connecting to a malicious IRC server, an attacker could cause Pidgin to
crash, leading to a denial of service. This issue only affected Ubuntu 8.04
LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703)

It was discovered that Pidgin did not properly enforce the "require
TLS/SSL" setting when connecting to certain older Jabber servers. If a
remote attacker were able to perform a machine-in-the-middle attack, this flaw
could be exploited to view sensitive information. This issue only affected
Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)

It was discovered that Pidgin did not properly handle certain SLP invite
messages in the MSN protocol handler. A remote attacker could send a
specially crafted invite message and cause Pidgin to crash, leading to a
denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10
and Ubuntu 9.04. (CVE-2009-3083)

It was discovered that Pidgin did not properly handle certain errors in the
XMPP protocol handler. A remote attacker could send a specially crafted
message and cause Pidgin to crash, leading to a denial of service. This
issue only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3085)

It was discovered that Pidgin did not properly handle malformed
contact-list data in the OSCAR protocol handler. A remote attacker could
send specially crafted contact-list data and cause Pidgin to crash, leading
to a denial of service. (CVE-2009-3615)

It was discovered that Pidgin did not properly handle custom smiley
requests in the MSN protocol handler. A remote attacker could send a
specially crafted filename in a custom smiley request and obtain arbitrary
files via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu
9.04 and Ubuntu 9.10. (CVE-2010-0013)

Pidgin for Ubuntu 8.04 LTS was also updated to fix connection issues with
the MSN protocol.

USN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiple
security vulnerabilities in Ubuntu 8.04 LTS. The security patches to fix
CVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects the
problem. Original advisory details:

It was discovered that Pidgin did not properly handle file transfers
containing a long filename and special characters in the MSN protocol
handler. A remote attacker could send a specially crafted filename in a
file transfer request and cause Pidgin to crash, leading to a denial of
service. (CVE-2008-2955)

It was discovered that Pidgin did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a
specially crafted message and possibly execute arbitrary code with user
privileges. (CVE-2009-1376)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.10

• pidgin - 1:2.6.2-1ubuntu7.1

Ubuntu 9.04

• pidgin - 1:2.5.5-1ubuntu8.5

Ubuntu 8.10

• pidgin - 1:2.5.2-0ubuntu1.6

Ubuntu 8.04

• pidgin - 1:2.4.1-1ubuntu2.8

After a standard system upgrade you need to restart Pidgin to effect
the necessary changes.

References

• CVE-2008-2955
• CVE-2009-1376
• CVE-2009-2703
• CVE-2009-3026
• CVE-2009-3083
• CVE-2009-3085
• CVE-2009-3615
• CVE-2010-0013

Related notices

• USN-675-1: pidgin
• USN-781-2: gaim
• USN-781-1: pidgin