Summary: | <net-im/pidgin-2.10.1 DoS (CVE-2011-{4601,4602,4603}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-im, sven.koehler |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2011/12/10/1 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2011-12-10 12:50:04 UTC
2.10.1 is in tree. Arch teams, please, test it and stabilize. =net-im/pidgin-2.10.1 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Also CVE-2011-4603 (http://pidgin.im/news/security/?id=59): Title SILC remote crash Date 2011-09-29 CVE Name CVE-2011-4603 Discovered By Diego Bauche Madero from IOActive Description When receiving various incoming messages, the SILC protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash. This vulnerability is similar to CVE-2011-3594, but occurs in a different piece of code and was fixed at a later date. Fixed in Revision afb9ede3de989f217f03d5670cca00e628bd11f1 Fixed in Version 2.10.1 Fix Validate incoming strings as UTF-8 before using them as such. amd64 stable Stable for HPPA. Builds and runs fine for x86. Please mark stable for x86. x86 stable, thanks Myckel alpha/ia64/sparc stable and arm is not stable CVE-2011-4603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4603): The silc_channel_message function in ops.c in the SILC protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted message, a different vulnerability than CVE-2011-3594. CVE-2011-4602 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4602): The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not properly handle missing fields in (1) voice-chat and (2) video-chat stanzas, which allows remote attackers to cause a denial of service (application crash) via a crafted message. ppc/ppc64 done Thanks, everyone. GLSA Vote: no. CVE-2011-4601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4601): family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted (1) AIM or (2) ICQ message associated with buddy-list addition. Vote: No. Closing noglsa. |