Rapid7 Vulnerability & Exploit Database

RHSA-2009:1060: pidgin security update

Back to Search

RHSA-2009:1060: pidgin security update

Severity
9
CVSS
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Published
05/26/2009
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

Pidgin is an instant messaging program which can log in to multipleaccounts on multiple instant messaging networks simultaneously.A buffer overflow flaw was found in the way Pidgin initiates file transferswhen using the Extensible Messaging and Presence Protocol (XMPP). If aPidgin client initiates a file transfer, and the remote target sends amalformed response, it could cause Pidgin to crash or, potentially, executearbitrary code with the permissions of the user running Pidgin. This flawonly affects accounts using XMPP, such as Jabber and Google Talk.(CVE-2009-1373)A denial of service flaw was found in Pidgin's QQ protocol decryptionhandler. When the QQ protocol decrypts packet information, heap data can beoverwritten, possibly causing Pidgin to crash. (CVE-2009-1374)A flaw was found in the way Pidgin's PurpleCircBuffer object is expanded.If the buffer is full when more data arrives, the data stored in thisbuffer becomes corrupted. This corrupted data could result in confusing ormisleading data being presented to the user, or possibly crash Pidgin.(CVE-2009-1375)It was discovered that on 32-bit platforms, the Red Hat Security AdvisoryRHSA-2008:0584 provided an incomplete fix for the integer overflow flawaffecting Pidgin's MSN protocol handler. If a Pidgin client receives aspecially-crafted MSN message, it may be possible to execute arbitrary codewith the permissions of the user running Pidgin. (CVE-2009-1376)Note: By default, when using an MSN account, only users on your buddy listcan send you messages. This prevents arbitrary MSN users from exploitingthis flaw.All Pidgin users should upgrade to these updated packages, which containbackported patches to resolve these issues. Pidgin must be restarted forthis update to take effect.

Solution(s)

  • redhat-upgrade-finch
  • redhat-upgrade-finch-devel
  • redhat-upgrade-libpurple
  • redhat-upgrade-libpurple-devel
  • redhat-upgrade-libpurple-perl
  • redhat-upgrade-libpurple-tcl
  • redhat-upgrade-pidgin
  • redhat-upgrade-pidgin-devel
  • redhat-upgrade-pidgin-perl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;