From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------- Debian Security Advisory DSA-1870-1
[email protected] http://www.debian.org/security/ Nico Golde August 19th, 2009
http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : pidgin
Vulnerability : insufficient input validation
Problem type : remote
Debian-specific: no
CVE ID : CVE-2009-2694
Federico Muttis discovered that libpurple, the shared library that adds
support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer overflow. This issue exists because of
an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can
exploit this by sending two consecutive SLP packets to a victim via MSN.
The first packet is used to create an SLP message object with an offset of zero, the second packet then contains a crafted offset which hits the vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and
allows an attacker to execute arbitrary code.
Note: Users with the "Allow only the users below" setting are not vulnerable
to this attack. If you can't install the below updates you may want to
set this via Tools->Privacy.
For the stable distribution (lenny), this problem has been fixed in
version 2.4.3-4lenny3.
For the testing distribution (squeeze), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 2.5.9-1.
We recommend that you upgrade your pidgin packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz
Size/MD5 checksum: 13123610 d0e0bd218fbc67df8b2eca2f21fcd427
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.dsc
Size/MD5 checksum: 1784 e9bc246ba4f0ca8dab1436d66bd00adb
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.diff.gz
Size/MD5 checksum: 67928 545981a43e8c1b905ea1adb0da9b1b4d
Architecture independent packages:
http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 133552 d4adb0ff7da09da14d34f3ae9484ea94
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 7018488 09b2f817c71774e2108b4366602f5dcf
http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 276890 dab9b30c46f9a2c03af02d381cb029cf
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 354146 291a984ea00f92d67a3d0b99040d7d72
http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny3_all.deb
Size/MD5 checksum: 159388 f73823fb36f1d0487cc29d0d71a7a471
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_alpha.deb
Size/MD5 checksum: 369628 cd01f407199d1ca84f2502c4f4d169db
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_alpha.deb
Size/MD5 checksum: 779192 fdb6b047a48f3c255fa13a329dc5fc35
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_alpha.deb
Size/MD5 checksum: 5545960 fe294dfeb4dd7ca7ff6e5636230c856c
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_alpha.deb
Size/MD5 checksum: 1803004 81ef9e0af747f0b236b25b1407d38266
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_amd64.deb
Size/MD5 checksum: 345894 4b31436a96b5834d8ebe3639b837093d
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_amd64.deb
Size/MD5 checksum: 5668550 58b27242ababd545a49b080527cd8769
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_amd64.deb
Size/MD5 checksum: 722220 e249e5fb7581ec28a0f4e0a32fab3d2c
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_amd64.deb
Size/MD5 checksum: 1706142 2f1f823ff5c26eb1cc67874633a6891d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_arm.deb
Size/MD5 checksum: 315182 d935ef53df9f333d0b2eb8d38e2bb753
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_arm.deb
Size/MD5 checksum: 655088 8631310cc8beb7902fef81b51af01fd8
http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_arm.deb
Size/MD5 checksum: 1490226 cfe0d6727f4a9aa671a3413817fb11ae
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_arm.deb
Size/MD5 checksum: 5348504 d1ef7ddf61f0e44f46c646e4f4add280
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_armel.deb
Size/MD5 checksum: 5386792 c5d2643ba6bc47aa41de04b870bbca3d
http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_armel.deb
Size/MD5 checksum: 666444 507fd3b558360b054d67843f3dba2689
http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_armel.deb
Size/MD5 checksum: 318828 fcaea331f126eb2329bf54d0c8df7269
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)