Ubuntu 7.10 / 8.04 LTS : pidgin vulnerabilities (USN-675-1)

Ubuntu Security Notice (C) 2008-2013 Canonical, Inc. / NASL script (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

It was discovered that Pidgin did not properly handle certain
malformed messages in the MSN protocol handler. A remote attacker
could send a specially crafted message and possibly execute arbitrary
code with user privileges. (CVE-2008-2927)

It was discovered that Pidgin did not properly handle file transfers
containing a long filename and special characters in the MSN protocol
handler. A remote attacker could send a specially crafted filename in
a file transfer request and cause Pidgin to crash, leading to a denial
of service. (CVE-2008-2955)

It was discovered that Pidgin did not impose resource limitations in
the UPnP service. A remote attacker could cause Pidgin to download
arbitrary files and cause a denial of service from memory or disk
space exhaustion. (CVE-2008-2957)

It was discovered that Pidgin did not validate SSL certificates when
using a secure connection. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view
sensitive information. This update alters Pidgin behaviour by asking
users to confirm the validity of a certificate upon initial login.
(CVE-2008-3532).

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 36899 ()

Bugtraq ID:

CVE ID: CVE-2008-2927
CVE-2008-2955
CVE-2008-2957
CVE-2008-3532