USN-781-1: Pidgin vulnerabilities

===========================================================

Ubuntu Security Notice USN-781-1                                                June 03, 2009

pidgin vulnerabilities

CVE-2009-1373, CVE-2009-1374, CVE-2009-1375, CVE-2009-1376 ===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS

Ubuntu 8.10

Ubuntu 9.04

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 8.04 LTS:

pidgin 1:2.4.1-1ubuntu2.4

Ubuntu 8.10:

pidgin 1:2.5.2-0ubuntu1.2

Ubuntu 9.04:

pidgin 1:2.5.5-1ubuntu8.1

After a standard system upgrade you need to restart Pidgin to effect the necessary changes.

Details follow:

It was discovered that Pidgin did not properly handle certain malformed messages when sending a file using the XMPP protocol handler. If a user were tricked into sending a file, a remote attacker could send a specially crafted response and cause Pidgin to crash, or possibly execute arbitrary code with user privileges. (CVE-2009-1373)

It was discovered that Pidgin did not properly handle certain malformed messages in the QQ protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash. This issue only affected Ubuntu 8.10 and 9.04. (CVE-2009-1374)

It was discovered that Pidgin did not properly handle certain malformed messages in the XMPP and Sametime protocol handlers. A remote attacker could send a specially crafted message and cause Pidgin to crash. (CVE-2009-1375)

It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376)

Source: http://www.ubuntu.com/usn/USN-781-1