[Sec-cert] [Fedora] Schwachstelle in Pidgin bis einschliesslich Version 2.6.4 - FEDORA-2010-0429

WiN Site Security Contacts win-sec-ssc at lists.dfn-cert.de
Mi Jan 13 16:37:06 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

CVE-2010-0013 - Directory Traversal Schwachstelle im MSN Protocol Plugin
der Bibliothek libpurple

  Das MSN Protocol Plugin der Bibliothek libpurple interpretiert Shell
  Metazeichen (z.B. "..") in "application/x-msnmsgrp2p" MSN Emoticon
  Requests (sog. "Custom Smileys"). Ein entfernter Angreifer kann diese
  Schwachstelle dazu ausnutzen, beliebige Dateien des Benutzers
  auszulesen und so an evtl. vertrauliche Daten zu gelangen. Die
  Schwachstelle steht im Zusammenhang mit der Schwachstelle CVE-2004-0122.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Paket pidgin

  Fedora 11
  Fedora 12

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033771.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033848.html


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
	Torsten Voss

- --
 
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.:  DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

17. DFN Workshop    "Sicherheit in vernetzten Systemen"    09./10.02.2010
Informationen unter https://www.dfn-cert.de/veranstaltungen/workshop.html

- --------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-0429
2010-01-12 20:06:36
- --------------------------------------------------------------------------------

Name        : pidgin
Product     : Fedora 11
Version     : 2.6.5
Release     : 1.fc11
URL         : http://pidgin.im/
Summary     : A Gtk+ based multiprotocol instant messaging client
Description :
Pidgin allows you to talk to anyone using a variety of messaging
protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu,
ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and
Zephyr.  These protocols are implemented using a modular, easy to
use design.  To use a protocol, just add an account using the
account editor.

Pidgin supports many common features of other clients, as well as many
unique features, such as perl scripting, TCL scripting and C plugins.

Pidgin is not affiliated with or endorsed by America Online, Inc.,
Microsoft Corporation, Yahoo! Inc., or ICQ Inc.

- --------------------------------------------------------------------------------
Update Information:

- - CVE-2010-0013  - A few other bug fixes
- --------------------------------------------------------------------------------
ChangeLog:

* Thu Jan  7 2010 Warren Togami <wtogami at redhat.com> - 2.6.5-1
- - 2.6.5
- - CVE-2010-0013
- - Other bug fixes
* Tue Dec  8 2009 Warren Togami <wtogami at redhat.com> - 2.6.4-4
- - temporarily disable evolution integration in F13 until it is fixed
* Wed Dec  2 2009 Warren Togami <wtogami at redhat.com> 2.6.4-2
- - disable SILC in EL6 builds
* Mon Nov 30 2009 Warren Togami <wtogami at redhat.com> 2.6.4-1
- - 2.6.4
* Mon Oct 19 2009 Warren Togami <wtogami at redhat.com> 2.6.3-2
- - Upstream backport:
    3abad7606f4a2dfd1903df796f33924b12509a56 msn_servconn_disconnect-crash
* Fri Oct 16 2009 Warren Togami <wtogami at redhat.com> 2.6.3-1
- - 2.6.3 CVE-2009-3615
* Wed Sep  9 2009 Warren Togami <wtogami at redhat.com> 2.6.2-2
- - Upstream backports:
    97e003ed2bc2bafbb993693c9ae9c6d667731cc1 aim-buddy-status-grab
    37aa00d044431100d37466517568640cb082680c yahoo-buddy-idle-time
    40005b889ee276fbcd0a4e886a68d8a8cce45698 yahoo-status-change-away
    cb46b045aa6e927a3814d9053c2b1c0f08d6fa62 crash-validate-jid
* Sun Sep  6 2009 Stu Tomlinson <stu at nosnilmot.com> 2.6.2-1.1
- - VV support needs to be explicitly disabled on F10
* Sun Sep  6 2009 Stu Tomlinson <stu at nosnilmot.com> 2.6.2-1
- - 2.6.2 Fixes a number of crashes
- - CVE-2009-2703, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085
* Wed Aug 19 2009 Warren Togami <wtogami at redhat.com> 2.6.1-1
- - 2.6.1: Fix a crash when some users send you a link in a Yahoo IM
* Tue Aug 18 2009 Warren Togami <wtogami at redhat.com> 2.6.0-1
- - CVE-2009-2694
- - Voice and Video support via farsight2 (Fedora 11+)
- - Numerous other bug fixes
* Thu Aug  6 2009 Warren Togami <wtogami at redhat.com> 2.6.0-0.11.20090812
- - new snapshot at the request of maiku
* Thu Aug  6 2009 Warren Togami <wtogami at redhat.com> 2.6.0-0.10.20090806
- - new snapshot - theoretically better sound quality in voice chat
* Tue Aug  4 2009 Warren Togami <wtogami at redhat.com> 2.6.0-0.9.20090804
- - new snapshot
* Mon Jul 27 2009 Warren Togami <wtogami at redhat.com> 2.6.0-0.8.20090727
- - new snapshot
* Mon Jul 27 2009 Stu Tomlinson <stu at nosnilmot.com> 2.6.0-0.6.20090721
- - Prevent main libpurple & pidgin packages depending on perl (#513902)
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.6.0-0.5.20090721
- - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Wed Jul 22 2009 Warren Togami <wtogami at redhat.com> 2.6.0-0.4.20090721
- - rebuild
* Tue Jul 21 2009 Warren Togami <wtogami at redhat.com> 2.6.0-0.3.20090721
- - prevent crash with no camera when closing vv window
* Tue Jul 21 2009 Warren Togami <wtogami at redhat.com> 2.6.0-0.1.20090721
- - 2.6.0 snapshot with voice and video support via farsight2
* Sat Jul 11 2009 Stu Tomlison <stu at nosnilmot.com> 2.5.8-2
- - Backport patch from upstream to enable NSS to recognize root CA
  certificates that use MD2 & MD4 algorithms in their signature, as
  used by some MSN and XMPP servers
* Sun Jun 28 2009 Warren Togami <wtogami at redat.com> 2.5.8-1
- - 2.5.8 with several important bug fixes
* Mon Jun 22 2009 Warren Togami <wtogami at redhat.com> 2.5.7-2
- - glib2 compat with RHEL-4
* Sat Jun 20 2009 Warren Togami <wtogami at redhat.com> 2.5.7-1
- - 2.5.7 with Yahoo Protocol 16 support
* Wed May 20 2009 Stu Tomlinson <stu at nosnilmot.com> 2.5.6-1
- - 2.5.6
* Mon Apr 20 2009 Warren Togami <wtogami at redhat.com> 2.5.5-3
- - F12+ removed krb4
- --------------------------------------------------------------------------------
References:

  [ 1 ] Bug #552483 - CVE-2010-0013 pidgin/libpurple: MSN custom smiley request directory traversal file disclosure
        https://bugzilla.redhat.com/show_bug.cgi?id=552483
- --------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update pidgin' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
- --------------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFLTeiiWmhIvjFb90URApBoAJ9s4QnC1VCRHIo2oigrzBrJzdZjWwCfXdmU
csAFBKQtZVvsobh7ZSLEfZ0=
=L6dX
-----END PGP SIGNATURE-----



Mehr Informationen über die Mailingliste Sec-cert