Pidgin buffer overflows in XMPP, MSN

Eric Shubert ejs at shubes.net
Thu Jun 4 08:01:46 MST 2009 

Ryan Rix wrote:
> pidgin: buffer/integer overflows
> 
> *Package(s)*:	pidgin 	*CVE #(s)*:	CVE-2009-1373 
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373> 
> CVE-2009-1376 
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376>
> *Created*:	May 22, 2009 	*Updated*:	June 2, 2009
> *Description*: 	From the Red Hat advisory:
> 
> A buffer overflow flaw was found in the way Pidgin initiates file 
> transfers when using the Extensible Messaging and Presence Protocol 
> (XMPP). If a Pidgin client initiates a file transfer, and the remote 
> target sends a malformed response, it could cause Pidgin to crash or, 
> potentially, execute arbitrary code with the permissions of the user 
> running Pidgin. This flaw only affects accounts using XMPP, such as 
> Jabber and Google Talk. (CVE-2009-1373)
> 
> It was discovered that on 32-bit platforms, the Red Hat Security 
> Advisory RHSA-2008:0584 provided an incomplete fix for the integer 
> overflow flaw affecting Pidgin's MSN protocol handler. If a Pidgin 
> client receives a specially-crafted MSN message, it may be possible to 
> execute arbitrary code with the permissions of the user running Pidgin. 
> (CVE-2009-1376)
> 
> *Alerts*: 	
> Red Hat 	RHSA-2009:1059-02 <http://lwn.net/Alerts/334298/> 	2009-05-22
> Red Hat 	RHSA-2009:1060-02 <http://lwn.net/Alerts/334299/> 	2009-05-22
> CentOS 	CESA-2009:1059 <http://lwn.net/Alerts/334304/> 	2009-05-22
> CentOS 	CESA-2009:1060 <http://lwn.net/Alerts/334571/> 	2009-05-22
> Debian 	DSA-1805-1 <http://lwn.net/Alerts/334558/> 	2009-05-22
> Gentoo 	200905-07 <http://lwn.net/Alerts/334681/> 	2009-05-25
> Slackware 	SSA:2009-146-01 <http://lwn.net/Alerts/334879/> 	2009-05-27
> Fedora 	FEDORA-2009-5552 <http://lwn.net/Alerts/335740/> 	2009-05-28
> Fedora 	FEDORA-2009-5597 <http://lwn.net/Alerts/335741/> 	2009-05-28
> Fedora 	FEDORA-2009-5583 <http://lwn.net/Alerts/335742/> 	2009-05-28
> 
> 
> http://lwn.net/Articles/334067/
> 
> -- 
> Thanks and best regards,
> Ryan Rix
> TamsPalm - The PalmOS Blog
> (623)-239-1103 <-- Grand Central, baby!
> 
> Jasmine Bowden - Class of 2009, Marc Rasmussen - Class of 2008, Erica
> Sheffey - Class of 2009, Rest in peace.
> 

I presume that's what the Ubuntu (8.04 LTS) update for Pidgin that came 
out yesterday was for.

I do appreciate not having to track and worry about that sort of thing 
(but I'm glad someone does). I simply apply the updates as they appear. 
Nice. :)

-- 
-Eric 'shubes'

More information about the PLUG-discuss mailing list