Oval Definition:oval:org.mitre.oval:def:12608
Revision Date:2014-06-30Version:21
Title:USN-886-1 -- pidgin vulnerabilities
Description:It was discovered that Pidgin did not properly handle certain topic messages in the IRC protocol handler. If a user were tricked into connecting to a malicious IRC server, an attacker could cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. It was discovered that Pidgin did not properly enforce the "require TLS/SSL" setting when connecting to certain older Jabber servers. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. It was discovered that Pidgin did not properly handle certain SLP invite messages in the MSN protocol handler. A remote attacker could send a specially crafted invite message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. It was discovered that Pidgin did not properly handle certain errors in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.10 and Ubuntu 9.04. It was discovered that Pidgin did not properly handle malformed contact-list data in the OSCAR protocol handler. A remote attacker could send specially crafted contact-list data and cause Pidgin to crash, leading to a denial of service. It was discovered that Pidgin did not properly handle custom smiley requests in the MSN protocol handler. A remote attacker could send a specially crafted filename in a custom smiley request and obtain arbitrary files via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu 9.04 and Ubuntu 9.10. Pidgin for Ubuntu 8.04 LTS was also updated to fix connection issues with the MSN protocol. USN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiple security vulnerabilities in Ubuntu 8.04 LTS. The security patches to fix CVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects the problem. Original advisory details: It was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges
Family:unixClass:patch
Status:ACCEPTEDReference(s):CVE-2008-2955
CVE-2009-1376
CVE-2009-2703
CVE-2009-3026
CVE-2009-3083
CVE-2009-3085
CVE-2009-3615
CVE-2010-0013
USN-886-1
USN-886-1
Platform(s):Ubuntu 8.04
Ubuntu 8.10
Ubuntu 9.04
Ubuntu 9.10
Product(s):pidgin
Definition Synopsis
  • Release section
  • Ubuntu 8.04 is installed
  • AND Architecture section
  • Architecture independent section
  • Installed architecture is all
  • AND Packages section
  • finch-dev DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR pidgin-dev DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR gaim DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR libpurple-bin DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR libpurple-dev DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR pidgin-data DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR Architecture depended section
  • Supported architectures section
  • Installed architecture is amd64
  • OR Installed architecture is i386
  • OR Installed architecture is powerpc
  • OR Installed architecture is sparc
  • OR Installed architecture is lpia
  • AND Packages section
  • libpurple0 DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR pidgin-dbg DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR pidgin DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR finch DPKG is earlier than 2.4.1-1ubuntu2.8
  • OR Release section
  • Ubuntu 8.10 is installed
  • AND Architecture section
  • Architecture independent section
  • Installed architecture is all
  • AND Packages section
  • libpurple-dev DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR finch-dev DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR pidgin-dev DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR libpurple-bin DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR pidgin-data DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR Architecture depended section
  • Supported architectures section
  • Installed architecture is amd64
  • OR Installed architecture is i386
  • OR Installed architecture is powerpc
  • OR Installed architecture is sparc
  • OR Installed architecture is lpia
  • AND Packages section
  • libpurple0 DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR pidgin-dbg DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR pidgin DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR finch DPKG is earlier than 2.5.2-0ubuntu1.6
  • OR Release section
  • Ubuntu 9.10 is installed
  • AND Architecture section
  • Architecture independent section
  • Installed architecture is all
  • AND Packages section
  • libpurple-dev DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR finch-dev DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR pidgin-dev DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR libpurple-bin DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR pidgin-data DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR Architecture depended section
  • Supported architectures section
  • Installed architecture is amd64
  • OR Installed architecture is i386
  • OR Installed architecture is powerpc
  • OR Installed architecture is sparc
  • OR Installed architecture is lpia
  • AND Packages section
  • libpurple0 DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR pidgin-dbg DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR pidgin DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR finch DPKG is earlier than 2.6.2-1ubuntu7.1
  • OR Release section
  • Ubuntu 9.04 is installed
  • AND Architecture section
  • Architecture independent section
  • Installed architecture is all
  • AND Packages section
  • libpurple-dev DPKG is earlier than 2.5.5-1ubuntu8.5
  • OR finch-dev DPKG is earlier than 2.5.5-1ubuntu8.5
  • OR pidgin-dev DPKG is earlier than 2.5.5-1ubuntu8.5
  • OR libpurple-bin DPKG is earlier than 2.5.5-1ubuntu8.5
  • OR pidgin-data DPKG is earlier than 2.5.5-1ubuntu8.5
  • OR Architecture depended section
  • Supported architectures section
  • Installed architecture is amd64
  • OR Installed architecture is i386
  • OR Installed architecture is powerpc
  • OR Installed architecture is sparc
  • OR Installed architecture is lpia
  • AND Packages section
  • libpurple0 DPKG is earlier than 2.5.5-1ubuntu8.5
  • OR pidgin-dbg DPKG is earlier than 2.5.5-1ubuntu8.5
  • OR pidgin DPKG is earlier than 2.5.5-1ubuntu8.5
  • OR finch DPKG is earlier than 2.5.5-1ubuntu8.5
  • BACK