=========================================================== Ubuntu Security Notice USN-675-1 November 24, 2008 pidgin vulnerabilities CVE-2008-2927, CVE-2008-2955, CVE-2008-2957, CVE-2008-3532 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.10: pidgin 1:2.2.1-1ubuntu4.3 Ubuntu 8.04 LTS: pidgin 1:2.4.1-1ubuntu2.2 After a standard system upgrade you need to restart Pidgin to effect the necessary changes. Details follow: It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2008-2927) It was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955) It was discovered that Pidgin did not impose resource limitations in the UPnP service. A remote attacker could cause Pidgin to download arbitrary files and cause a denial of service from memory or disk space exhaustion. (CVE-2008-2957) It was discovered that Pidgin did not validate SSL certificates when using a secure connection. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This update alters Pidgin behaviour by asking users to confirm the validity of a certificate upon initial login. (CVE-2008-3532) Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3.diff.gz Size/MD5: 57978 254c333b127e6f18bf5deff2df48aace http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3.dsc Size/MD5: 1475 9e202c8cb64aa6f5b813c989caea7b93 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1.orig.tar.gz Size/MD5: 12868326 3de2ef29d4a62c515a223cba5d4c4671 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.2.1-1ubuntu4.3_all.deb Size/MD5: 143616 602c6c56f30d9f40013e41841d595edb http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.2.1-1ubuntu4.3_all.deb Size/MD5: 123834 625e7e989d6a29d8887137b407078c90 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.2.1-1ubuntu4.3_all.deb Size/MD5: 257634 8febe671445a717eb09809b591825416 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.2.1-1ubuntu4.3_all.deb Size/MD5: 1390894 5e360d9bd1b994a21e44bdd434004d42 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.2.1-1ubuntu4.3_all.deb Size/MD5: 201660 6844e4107ac223deaf57d022bd84540a http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.2.1-1ubuntu4.3_all.deb Size/MD5: 119274 7836e1d1c689528c1bd533e51b8b110b amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_amd64.deb Size/MD5: 311318 fec706b32fe99bb814056899e85a30c2 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_amd64.deb Size/MD5: 1566428 e57dd483c64314b78811ae83afd01ab7 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_amd64.deb Size/MD5: 4873688 6b59077f56042c373ba0a0537766f197 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_amd64.deb Size/MD5: 646402 f9d51d9559dae7a65e1ad771338d7cd9 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_i386.deb Size/MD5: 293002 767d3b4cea192f2f567bc4004e5c34ae http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_i386.deb Size/MD5: 1454484 051f1fe1704333c292e089d23cf1be4c http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_i386.deb Size/MD5: 4585518 02a2bac7b6ab2be201c1b2956cbae8af http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_i386.deb Size/MD5: 603628 f071b1d796ca4d7894777b7c099e00f1 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_lpia.deb Size/MD5: 292214 f14424242e4002dc026fd32c55fd859e http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_lpia.deb Size/MD5: 1432448 5db14c19c6010f2a6cb10ae39f598488 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_lpia.deb Size/MD5: 4890584 a443f701a66508288371508bab68613c http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_lpia.deb Size/MD5: 602262 78a8c49c3937cc0ec647f779b8f4a89b powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_powerpc.deb Size/MD5: 327048 b49ec32a017ba8eb95bdeb183a685dec http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_powerpc.deb Size/MD5: 1632672 cd12c695cf8694fc5dfab98d4192fa0b http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_powerpc.deb Size/MD5: 4843450 c483fbfca0036b0454a66231e5eb5ca4 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_powerpc.deb Size/MD5: 678768 fce379059fbc71ef9c0016e77092c128 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.2.1-1ubuntu4.3_sparc.deb Size/MD5: 294868 0b79ad3c17899fc7d4e374903b4433a7 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.2.1-1ubuntu4.3_sparc.deb Size/MD5: 1483770 1ca2179e7f56fb64b3ff898163149aa8 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.2.1-1ubuntu4.3_sparc.deb Size/MD5: 4447692 3b7619af602cae52a0aaf305f8ffa554 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.2.1-1ubuntu4.3_sparc.deb Size/MD5: 609750 3471725c85e7183458134e7b6f72428f Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2.diff.gz Size/MD5: 66731 5928aa79ba1425f6171ff2498ed82c57 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2.dsc Size/MD5: 1539 be09a810e567b6d5e9c0e699ea6f6d35 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1.orig.tar.gz Size/MD5: 13297380 25e3593d5e6bfc17911111475a057778 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch-dev_2.4.1-1ubuntu2.2_all.deb Size/MD5: 37848 cdd046022be11e393c94cd06427f1a3a http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-bin_2.4.1-1ubuntu2.2_all.deb Size/MD5: 92034 4bb65e5ae1ce1345a8403ce45613123e http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple-dev_2.4.1-1ubuntu2.2_all.deb Size/MD5: 234266 050e32d2264f10bc4e16d43c9ef0f225 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-data_2.4.1-1ubuntu2.2_all.deb Size/MD5: 1328710 cbb005a2f0dc4b5bb2425d1448608863 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dev_2.4.1-1ubuntu2.2_all.deb Size/MD5: 72632 c724bea962c7107f16fbb1d4b837d738 http://security.ubuntu.com/ubuntu/pool/universe/p/pidgin/gaim_2.4.1-1ubuntu2.2_all.deb Size/MD5: 86300 774f5f7e6d2a495eb272d4249d185df9 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_amd64.deb Size/MD5: 226884 778654356ed8517a62e531967a60619a http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_amd64.deb Size/MD5: 1604782 0693279fa29bb9b7c104e767a9d0cf96 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_amd64.deb Size/MD5: 4431992 f3301cd351a4d29bbf5fca944fd52ac3 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_amd64.deb Size/MD5: 572144 3709481a941f530c1cfd8b18efadd367 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_i386.deb Size/MD5: 200878 8ea4b5d4ef47709be587bc0b30d27910 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_i386.deb Size/MD5: 1365460 2ba4f4606e478b325f49a6058ed09886 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_i386.deb Size/MD5: 4242032 90317cc00e3037e852ce3857914cf511 http://security.ubuntu.com/ubuntu/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_i386.deb Size/MD5: 517198 f7a61815aa2aff71475297cd7b76c546 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_lpia.deb Size/MD5: 197204 3858112dba3f65d1eb9a43d44a641226 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_lpia.deb Size/MD5: 1415086 d0d08032e22ac56132999a61d75f8071 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_lpia.deb Size/MD5: 4371468 30ef5919816607e4f2594e8fa664d02b http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_lpia.deb Size/MD5: 511682 85c979fcb75af48298b2652469d46a47 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_powerpc.deb Size/MD5: 237202 196a4925b68d32e2ad35cff8aaec3b08 http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_powerpc.deb Size/MD5: 1633050 9d3cb75d0b064b3c321632852b01cfca http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_powerpc.deb Size/MD5: 4474528 bc9647e3320d694226a2a8e6f107ec02 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_powerpc.deb Size/MD5: 589690 56edd0928fd37d727707c056a6b2817b sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/p/pidgin/finch_2.4.1-1ubuntu2.2_sparc.deb Size/MD5: 212828 72ae328af916d4e831f387092561e4ef http://ports.ubuntu.com/pool/main/p/pidgin/libpurple0_2.4.1-1ubuntu2.2_sparc.deb Size/MD5: 1531820 7f5759f32b810ba0d2765f881f4661dc http://ports.ubuntu.com/pool/main/p/pidgin/pidgin-dbg_2.4.1-1ubuntu2.2_sparc.deb Size/MD5: 4363018 9ec1b1e8a3d8b71f47f7e49f07bc9319 http://ports.ubuntu.com/pool/main/p/pidgin/pidgin_2.4.1-1ubuntu2.2_sparc.deb Size/MD5: 545602 a269667a162aff2a50b482a58bb23233
Attachment:
signature.asc
Description: This is a digitally signed message part