Mandriva Linux Security Advisory : pidgin (MDVSA-2010:041)

medium Nessus Plugin ID 44664

Language:

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Multiple security vulnerabilities has been identified and fixed in pidgin :

Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277).

In a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420).

oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

This update provides pidgin 2.6.6, which is not vulnerable to these issues.

Solution

Update the affected packages.

See Also

http://pidgin.im/news/security/

Plugin Details

Severity: Medium

ID: 44664

File Name: mandriva_MDVSA-2010-041.nasl

Version: 1.17

Type: local

Published: 2/19/2010

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:finch, p-cpe:/a:mandriva:linux:lib64finch0, p-cpe:/a:mandriva:linux:lib64purple-devel, p-cpe:/a:mandriva:linux:lib64purple0, p-cpe:/a:mandriva:linux:libfinch0, p-cpe:/a:mandriva:linux:libpurple-devel, p-cpe:/a:mandriva:linux:libpurple0, p-cpe:/a:mandriva:linux:pidgin, p-cpe:/a:mandriva:linux:pidgin-bonjour, p-cpe:/a:mandriva:linux:pidgin-client, p-cpe:/a:mandriva:linux:pidgin-gevolution, p-cpe:/a:mandriva:linux:pidgin-i18n, p-cpe:/a:mandriva:linux:pidgin-meanwhile, p-cpe:/a:mandriva:linux:pidgin-mono, p-cpe:/a:mandriva:linux:pidgin-perl, p-cpe:/a:mandriva:linux:pidgin-plugins, p-cpe:/a:mandriva:linux:pidgin-silc, p-cpe:/a:mandriva:linux:pidgin-tcl, cpe:/o:mandriva:linux:2008.0, cpe:/o:mandriva:linux:2009.1, cpe:/o:mandriva:linux:2010.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 2/18/2010

Reference Information

CVE: CVE-2010-0277, CVE-2010-0420, CVE-2010-0423

BID: 38294

CWE: 20, 399

MDVSA: 2010:041