Ryan Rix wrote: > pidgin: buffer/integer overflows > > *Package(s)*: pidgin *CVE #(s)*: CVE-2009-1373 > <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373> > CVE-2009-1376 > <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376> > *Created*: May 22, 2009 *Updated*: June 2, 2009 > *Description*: From the Red Hat advisory: > > A buffer overflow flaw was found in the way Pidgin initiates file > transfers when using the Extensible Messaging and Presence Protocol > (XMPP). If a Pidgin client initiates a file transfer, and the remote > target sends a malformed response, it could cause Pidgin to crash or, > potentially, execute arbitrary code with the permissions of the user > running Pidgin. This flaw only affects accounts using XMPP, such as > Jabber and Google Talk. (CVE-2009-1373) > > It was discovered that on 32-bit platforms, the Red Hat Security > Advisory RHSA-2008:0584 provided an incomplete fix for the integer > overflow flaw affecting Pidgin's MSN protocol handler. If a Pidgin > client receives a specially-crafted MSN message, it may be possible to > execute arbitrary code with the permissions of the user running Pidgin. > (CVE-2009-1376) > > *Alerts*: > Red Hat RHSA-2009:1059-02 <http://lwn.net/Alerts/334298/> > 2009-05-22 > Red Hat RHSA-2009:1060-02 <http://lwn.net/Alerts/334299/> > 2009-05-22 > CentOS CESA-2009:1059 <http://lwn.net/Alerts/334304/> 2009-05-22 > CentOS CESA-2009:1060 <http://lwn.net/Alerts/334571/> 2009-05-22 > Debian DSA-1805-1 <http://lwn.net/Alerts/334558/> 2009-05-22 > Gentoo 200905-07 <http://lwn.net/Alerts/334681/> 2009-05-25 > Slackware SSA:2009-146-01 <http://lwn.net/Alerts/334879/> > 2009-05-27 > Fedora FEDORA-2009-5552 <http://lwn.net/Alerts/335740/> > 2009-05-28 > Fedora FEDORA-2009-5597 <http://lwn.net/Alerts/335741/> > 2009-05-28 > Fedora FEDORA-2009-5583 <http://lwn.net/Alerts/335742/> > 2009-05-28 > > > http://lwn.net/Articles/334067/ > > -- > Thanks and best regards, > Ryan Rix > TamsPalm - The PalmOS Blog > (623)-239-1103 <-- Grand Central, baby! > > Jasmine Bowden - Class of 2009, Marc Rasmussen - Class of 2008, Erica > Sheffey - Class of 2009, Rest in peace. >
I presume that's what the Ubuntu (8.04 LTS) update for Pidgin that came out yesterday was for. I do appreciate not having to track and worry about that sort of thing (but I'm glad someone does). I simply apply the updates as they appear. Nice. :) -- -Eric 'shubes' --------------------------------------------------- PLUG-discuss mailing list - [email protected] To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
