Re: Pidgin buffer overflows in XMPP, MSN

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MRyan Rix at <-
MTed Gould at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Eric Shubert
Date:  
To: plug-discuss
Subject: Re: Pidgin buffer overflows in XMPP, MSN
Ryan Rix wrote:
> pidgin: buffer/integer overflows
> 
> *Package(s)*:    pidgin     *CVE #(s)*:    CVE-2009-1373 
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373> 
> CVE-2009-1376 
> <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376>
> *Created*:    May 22, 2009     *Updated*:    June 2, 2009
> *Description*:     From the Red Hat advisory:

>
> A buffer overflow flaw was found in the way Pidgin initiates file
> transfers when using the Extensible Messaging and Presence Protocol
> (XMPP). If a Pidgin client initiates a file transfer, and the remote
> target sends a malformed response, it could cause Pidgin to crash or,
> potentially, execute arbitrary code with the permissions of the user
> running Pidgin. This flaw only affects accounts using XMPP, such as
> Jabber and Google Talk. (CVE-2009-1373)
>
> It was discovered that on 32-bit platforms, the Red Hat Security
> Advisory RHSA-2008:0584 provided an incomplete fix for the integer
> overflow flaw affecting Pidgin's MSN protocol handler. If a Pidgin
> client receives a specially-crafted MSN message, it may be possible to
> execute arbitrary code with the permissions of the user running Pidgin.
> (CVE-2009-1376)
> 
> *Alerts*:     
> Red Hat     RHSA-2009:1059-02 <http://lwn.net/Alerts/334298/>     2009-05-22
> Red Hat     RHSA-2009:1060-02 <http://lwn.net/Alerts/334299/>     2009-05-22
> CentOS     CESA-2009:1059 <http://lwn.net/Alerts/334304/>     2009-05-22
> CentOS     CESA-2009:1060 <http://lwn.net/Alerts/334571/>     2009-05-22
> Debian     DSA-1805-1 <http://lwn.net/Alerts/334558/>     2009-05-22
> Gentoo     200905-07 <http://lwn.net/Alerts/334681/>     2009-05-25
> Slackware     SSA:2009-146-01 <http://lwn.net/Alerts/334879/>     2009-05-27
> Fedora     FEDORA-2009-5552 <http://lwn.net/Alerts/335740/>     2009-05-28
> Fedora     FEDORA-2009-5597 <http://lwn.net/Alerts/335741/>     2009-05-28
> Fedora     FEDORA-2009-5583 <http://lwn.net/Alerts/335742/>     2009-05-28

>
>
> http://lwn.net/Articles/334067/
>
> --
> Thanks and best regards,
> Ryan Rix
> TamsPalm - The PalmOS Blog
> (623)-239-1103 <-- Grand Central, baby!
>
> Jasmine Bowden - Class of 2009, Marc Rasmussen - Class of 2008, Erica
> Sheffey - Class of 2009, Rest in peace.
>

I presume that's what the Ubuntu (8.04 LTS) update for Pidgin that came
out yesterday was for.

I do appreciate not having to track and worry about that sort of thing
(but I'm glad someone does). I simply apply the updates as they appear.
Nice. :)

--
-Eric 'shubes'

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Pidgin buffer overflows in XMPP, MSNRe: OT: Safari Books->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)