Summary: | <net-im/pidgin-2.6.6 multiple vulnerabilities (CVE-2010-{0277,0420,0423}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Dani Soufi <danisoufi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hauschild.markus, net-im, tomka |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Dani Soufi
2010-02-18 10:20:14 UTC
New version is in the tree. Thanks Dani and Peter. Arches, please test and mark stable: =net-im/pidgin-2.6.6 Target keywords : "alpha amd64 hppa ppc ppc64 x86" Stable for HPPA. Tested on x86: Looks good. x86 stable, thanks Thomas ppc64 done alpha/ia64/sparc stable amd64 stable. CVE-2010-0420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0420): libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname. CVE-2010-0423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0423): gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. CVE-2010-0277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0277): slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013. Marked ppc stable. ready for GLSA vote there is also bug 324023 DoS in client application → noglsa. |