Mandriva Linux Security Advisory : pidgin (MDVSA-2011:183)

medium Nessus Plugin ID 57079

Synopsis

The remote Mandriva Linux host is missing one or more security updates.

Description

Multiple vulnerabilities has been discovered and corrected in pidgin :

When receiving various stanzas related to voice and video chat, the XMPP protocol plugin failed to ensure that the incoming message contained all required fields, and would crash if certain fields were missing.

When receiving various messages related to requesting or receiving authorization for adding a buddy to a buddy list, the oscar protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash (CVE-2011-4601).

When receiving various incoming messages, the SILC protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash (CVE-2011-3594).

This update provides pidgin 2.10.1, which is not vulnerable to these issues.

Solution

Update the affected packages.

See Also

http://pidgin.im/news/security/?id=56

http://pidgin.im/news/security/?id=57

http://pidgin.im/news/security/?id=58

http://www.pidgin.im/news/security/

Plugin Details

Severity: Medium

ID: 57079

File Name: mandriva_MDVSA-2011-183.nasl

Version: 1.9

Type: local

Published: 12/12/2011

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:finch, p-cpe:/a:mandriva:linux:lib64finch0, p-cpe:/a:mandriva:linux:lib64purple-devel, p-cpe:/a:mandriva:linux:lib64purple0, p-cpe:/a:mandriva:linux:libfinch0, p-cpe:/a:mandriva:linux:libpurple-devel, p-cpe:/a:mandriva:linux:libpurple0, p-cpe:/a:mandriva:linux:pidgin, p-cpe:/a:mandriva:linux:pidgin-bonjour, p-cpe:/a:mandriva:linux:pidgin-client, p-cpe:/a:mandriva:linux:pidgin-gevolution, p-cpe:/a:mandriva:linux:pidgin-i18n, p-cpe:/a:mandriva:linux:pidgin-meanwhile, p-cpe:/a:mandriva:linux:pidgin-perl, p-cpe:/a:mandriva:linux:pidgin-plugins, p-cpe:/a:mandriva:linux:pidgin-silc, p-cpe:/a:mandriva:linux:pidgin-tcl, cpe:/o:mandriva:linux:2010.1, cpe:/o:mandriva:linux:2011

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/10/2011

Reference Information

CVE: CVE-2011-3594, CVE-2011-4601

BID: 49912, 51010

MDVSA: 2011:183