← Back to team overview

oem-qa team mailing list archive

  1. oem-qa team
  2. Mailing list archive
  3. Message #00295

[Bug 383335] [NEW] Please update pidgin to fix security vulnerabilities

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

Pidgin in generic hardy has been update to fix three security
vulnerabilities. The patches should be applied to tpidgin for the mini.
Note that pidgin for the mini is in version
1:2.4.3ubuntu1~hardy1netbook5.

pidgin (1:2.4.1-1ubuntu2.4) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service or possible code execution in XMPP
    file transfer
    - debian/patches/81_security_CVE-2009-1373.patch: calculate lengths
      correctly in libpurple/protocols/jabber/si.c.
    - CVE-2009-1373
  * SECURITY UPDATE: denial of service in PurpleCircBuffer object expansion
    - debian/patches/82_security_CVE-2009-1375.patch: add an additional
      check in libpurple/circbuffer.c.
    - CVE-2009-1375
  * SECURITY UPDATE: arbitrary code execution via crafted MSN message
    - debian/patches/83_security_CVE-2009-1376.patch: switch offset
      variable to guint64 in libpurple/protocols/msn/slplink.c.
    - CVE-2009-1376

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Mon, 25 May 2009
17:24:40 +0200

** Affects: dell-mini
     Importance: Undecided
         Status: New

** Description changed:

  Pidgin in generic hardy has been update to fix three security
  vulnerabilities. The patches should be applied to tpidgin for the mini.
  Note that pidgin for the mini is in version
  1:2.4.3ubuntu1~hardy1netbook5.
  
  pidgin (1:2.4.1-1ubuntu2.4) hardy-security; urgency=low
  
    * SECURITY UPDATE: denial of service or possible code execution in XMPP
      file transfer
      - debian/patches/81_security_CVE-2009-1373.patch: calculate lengths
        correctly in libpurple/protocols/jabber/si.c.
      - CVE-2009-1373
    * SECURITY UPDATE: denial of service in PurpleCircBuffer object expansion
      - debian/patches/82_security_CVE-2009-1375.patch: add an additional
        check in libpurple/circbuffer.c.
      - CVE-2009-1375
    * SECURITY UPDATE: arbitrary code execution via crafted MSN message
      - debian/patches/83_security_CVE-2009-1376.patch: switch offset
        variable to guint64 in libpurple/protocols/msn/slplink.c.
      - CVE-2009-1376
- pidgin (1:2.4.1-1ubuntu2.4) hardy-security; urgency=low
- 
-   * SECURITY UPDATE: denial of service or possible code execution in XMPP
-     file transfer
-     - debian/patches/81_security_CVE-2009-1373.patch: calculate lengths
-       correctly in libpurple/protocols/jabber/si.c.
-     - CVE-2009-1373
-   * SECURITY UPDATE: denial of service in PurpleCircBuffer object expansion
-     - debian/patches/82_security_CVE-2009-1375.patch: add an additional
-       check in libpurple/circbuffer.c.
-     - CVE-2009-1375
-   * SECURITY UPDATE: arbitrary code execution via crafted MSN message
-     - debian/patches/83_security_CVE-2009-1376.patch: switch offset
-       variable to guint64 in libpurple/protocols/msn/slplink.c.
-     - CVE-2009-1376
  
   -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Mon, 25 May 2009
  17:24:40 +0200

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1373

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1375

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1376

** This bug has been flagged as a security vulnerability

-- 
Please update pidgin to fix security vulnerabilities
https://bugs.launchpad.net/bugs/383335
You received this bug notification because you are a member of OEM
Services QA, which is subscribed to The Dell Mini Project.

Status in Dell Inspiron Mini with Custom Dell UI: New

Bug description:
Pidgin in generic hardy has been update to fix three security vulnerabilities. The patches should be applied to tpidgin for the mini. Note that pidgin for the mini is in version 1:2.4.3ubuntu1~hardy1netbook5.

pidgin (1:2.4.1-1ubuntu2.4) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service or possible code execution in XMPP
    file transfer
    - debian/patches/81_security_CVE-2009-1373.patch: calculate lengths
      correctly in libpurple/protocols/jabber/si.c.
    - CVE-2009-1373
  * SECURITY UPDATE: denial of service in PurpleCircBuffer object expansion
    - debian/patches/82_security_CVE-2009-1375.patch: add an additional
      check in libpurple/circbuffer.c.
    - CVE-2009-1375
  * SECURITY UPDATE: arbitrary code execution via crafted MSN message
    - debian/patches/83_security_CVE-2009-1376.patch: switch offset
      variable to guint64 in libpurple/protocols/msn/slplink.c.
    - CVE-2009-1376

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Mon, 25 May 2009 17:24:40 +0200

Follow ups

References

  Thread PreviousDate PreviousThread Next