[Fedora] Schwachstelle in Pidgin – FEDORA-2011-3132

[Fedora] Schwachstelle in Pidgin - FEDORA-2011-3132

Von

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2011-1091 – Schwachstellen in der Bibliothek libpurple

Das Yahoo Protokoll Plugin der Bibliothek libpurple in den Versionen
2.6.0 bis 2.7.10 behandelt YMSG Pakete (sowohl SMS Meldungen als auch
‘notification packets’) in unsicherer Weise. Durch entsprechend
aufgebaute Pakete koennen verschiedene NULL-Pointer Dereferenzierungen
ausgeloest und die Anwendung, welche die Bibliothek verwendet, zum
Absturz gebracht werden. Ein entfernter, authentifizierter Angreifer
kann diese Schwachstelle ausnutzen, um einen Denial of Service
auszuloesen. Fuer den Versand einer entsprechend manipulierten SMS
Meldung benoetigt der Angreifer einen Yahoo Server unter seiner
Kontrolle.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket pidgin

Fedora 13

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Michael Groening, DFN-CERT
– —

Michael Groening (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

– ——————————————————————————–
Fedora Update Notification
FEDORA-2011-3132
2011-03-11 20:25:06
– ——————————————————————————–

Name : pidgin
Product : Fedora 13
Version : 2.7.11
Release : 1.fc13
URL : http://pidgin.im/
Summary : A Gtk+ based multiprotocol instant messaging client
Description :
Pidgin allows you to talk to anyone using a variety of messaging
protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu,
ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and
Zephyr. These protocols are implemented using a modular, easy to
use design. To use a protocol, just add an account using the
account editor.

Pidgin supports many common features of other clients, as well as many
unique features, such as perl scripting, TCL scripting and C plugins.

Pidgin is not affiliated with or endorsed by America Online, Inc.,
Microsoft Corporation, Yahoo! Inc., or ICQ Inc.

– ——————————————————————————–
Update Information:

New release 2.7.11

Full Upstream ChangeLog:

http://developer.pidgin.im/wiki/ChangeLog
– ——————————————————————————–
ChangeLog:

* Fri Mar 11 2011 Stu Tomlinson 2.7.11-1
– – 2.7.11, includes security/DoS fixes in Yahoo protocol
CVE-2011-1091 (#683031)
* Thu Mar 10 2011 Dan Williams 2.7.10-2
– – Update for NetworkManager 0.9
* Tue Feb 22 2011 Stu Tomlinson 2.7.10-1
– – 2.7.10
* Wed Feb 9 2011 Fedora Release Engineering – 2.7.9-4
– – Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Tue Feb 1 2011 Milan Crha 2.7.9-3
– – Rebuild against newer evolution-data-server
* Wed Jan 12 2011 Milan Crha 2.7.9-2
– – Rebuild against newer evolution-data-server
* Mon Dec 27 2010 Stu Tomlinson 2.7.9-1
– – 2.7.9, includes security/DoS fix in the MSN protocol (#665856)
* Mon Nov 29 2010 Stu Tomlinson 2.7.7-1
– – 2.7.7
– – Disable MSNP16 due to regressions interacting with official client
* Fri Nov 19 2010 Stu Tomlinson 2.7.5-2
– – Add additional intermediate CA certificates to fix MSN
* Mon Nov 1 2010 Stu Tomlinson 2.7.5-1
– – 2.7.5
* Fri Oct 22 2010 Stu Tomlinson 2.7.4-1
– – 2.7.4, includes security fix for CVE-2010-3711
* Tue Oct 12 2010 Milan Crha – 2.7.3-6
– – Rebuild against newer evolution-data-server
* Wed Sep 29 2010 jkeating – 2.7.3-5
– – Rebuilt for gcc bug 634757
* Thu Sep 16 2010 Stu Tomlinson 2.7.3-4
– – Rebuild against newer libedataserver
* Mon Sep 13 2010 Dan Horák 2.7.3-3
– – drop the s390(x) ifarchs
* Mon Aug 23 2010 Tom “spot” Callaway 2.7.3-2
– – use _isa in explicit Requires on libpurple to prevent yum from trying to
jump architectures to resolve dependency
* Wed Aug 11 2010 Stu Tomlinson 2.7.3-1
– – 2.7.3
* Wed Jul 21 2010 Stu Tomlinson 2.7.2-1
– – 2.7.2 with a security fix (CVE-2010-2528) and a couple of bug fixes (#601650)
* Thu Jul 15 2010 Stu Tomlinson 2.7.1-5
– – Rebuild against newer libedataserver
– – spec file cleanup:
replace %define with %global
replace tabs with spaces for consistency
mark prefs.xml as a config file
* Wed Jul 7 2010 Stu Tomlinson 2.7.1-4
– – Include license in libpurple subpackage
* Tue Jun 1 2010 Marcela Maslanova – 2.7.1-3
– – Mass rebuild with perl-5.12.0
* Sun May 30 2010 Stu Tomlinson 2.7.1-2
– – Add Obsoletes to pull in pidgin-evolution during update
* Sun May 30 2010 Stu Tomlinson 2.7.1-1
– – 2.7.1
– – Adds Direct Connection support for MSN
– – Numerous bug fixes
– – Evolution support moved to pidgin-evolution for F13+ (#581144)
* Thu May 20 2010 Stu Tomlinson 2.7.0-2
– – Upstream backports:
3c30f64efedafc379b6536852bbb3b6ef5f1f6c9 – fix for receiving HTML on ICQ
13fbe0815f84d5b3c001947559f5818c10275f4c – prevent null deref on disconnecting account (#592750)
c4a874926d07b8597db4b78a181a89cf720a8418 – fix blinking tray icon on new message (#592691)
cfe0e649dda34d9252d40d8f67e445336a247998 – prevent race condition on Yahoo! login
e3dd36706068f3b8eabd630ff71d270c145cce42 – fix crash in Oscar (#548128)
13fbe0815f84d5b3c001947559f5818c10275f4c – fix crash during network disconnect (#592750)
* Thu May 13 2010 Stu Tomlinson – 2.7.0-1
– – 2.7.0 with features, bug fixes and a security fix: CVE-2010-1624 (#591806)
– – Use System SSL Certificates (#576721)
– – Add additional dependencies for Voice + Video (#581343)
– – Upstream backport:
87ada76abf90c44e615679efc5f8128bb941bba1 Reduce MSN traffic
– ——————————————————————————–
References:

[ 1 ] Bug #683031 – CVE-2011-1091 Pidgin: Multiple NULL pointer dereference flaws in Yahoo protocol plug-in
https://bugzilla.redhat.com/show_bug.cgi?id=683031
[ 2 ] Bug #684685 – Cipher API information disclosure in pidgin
https://bugzilla.redhat.com/show_bug.cgi?id=684685
– ——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update pidgin’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– ——————————————————————————–

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iQEcBAEBAgAGBQJNhz5sAAoJEJtyb8U7iGZBbEoH/0/W/HQx7WNxS/h/H/YIxzPe
V83aRkq6Xc6sRBp9ZIWX5FT2pRPwdshn5a3rl9Mdxbh3waer/Ar0+zOe9br/iXf4
ZnaTn3uZZiANiSPZiVFz//ySHmxzrDOE+2dLH3hdyFtEyU/AhDhzJWdVW9r/F2Ar
5d+9zyGyD2VCOC5iKghTB7MC6JjRAfCQlM3/zeutY6zuUh2f4KzKW3RTMkbE7Oqx
ZdTaApR9efpizJUWB1odhWRSWcrowcBLrKp3j0s65Ujg/pR08V3OovwmRmnEApeo
7Ub7SLU/PLxHOjdHbWTR4sv+E960+1qCHSdqO2YlCWa9Wt9ShNkFownSoDh8rUU=
=8NKK
—–END PGP SIGNATURE—–

© COMPUTEC MEDIA GmbH
Nach oben