pidgin vulnerabilities

24 November 2008

pidgin vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 8.04 LTS
• Ubuntu 7.10

Software Description

• pidgin

Details

It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2008-2927)

It was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)

It was discovered that Pidgin did not impose resource limitations in the UPnP service. A remote attacker could cause Pidgin to download arbitrary files and cause a denial of service from memory or disk space exhaustion. (CVE-2008-2957)

It was discovered that Pidgin did not validate SSL certificates when using a secure connection. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This update alters Pidgin behaviour by asking users to confirm the validity of a certificate upon initial login. (CVE-2008-3532)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 8.04 LTS

pidgin - 1:2.4.1-1ubuntu2.2

Ubuntu 7.10

pidgin - 1:2.2.1-1ubuntu4.3

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart Pidgin to effect the necessary changes.

References

• CVE-2008-2927
• CVE-2008-2955
• CVE-2008-2957
• CVE-2008-3532