Skip Quicknav

• About Debian
• News
• Getting Debian
• Support
• Developers' Corner
• Site map
• Search

Debian Security Advisory

DSA-1870-1 pidgin -- insufficient input validation

Date Reported:

19 Aug 2009

Affected Packages:

pidgin

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2009-2694.

More information:

Federico Muttis discovered that libpurple, the shared library that adds support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer overflow. This issue exists because of an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can exploit this by sending two consecutive SLP packets to a victim via MSN.

The first packet is used to create an SLP message object with an offset of zero, the second packet then contains a crafted offset which hits the vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and allows an attacker to execute arbitrary code.

Note: Users with the "Allow only the users below" setting are not vulnerable to this attack. If you can't install the below updates you may want to set this via Tools->Privacy.

For the stable distribution (lenny), this problem has been fixed in version 2.4.3-4lenny3.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 2.5.9-1.

We recommend that you upgrade your pidgin packages.

Fixed in:

Debian GNU/Linux 5.0 (lenny)

Source:

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.dsc

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.diff.gz

Architecture-independent component:

http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny3_all.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny3_all.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny3_all.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny3_all.deb

http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny3_all.deb

Alpha:

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_alpha.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_alpha.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_alpha.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_alpha.deb

AMD64:

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_amd64.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_amd64.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_amd64.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_amd64.deb

ARM:

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_arm.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_arm.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_arm.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_arm.deb

ARM EABI:

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_armel.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_armel.deb

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_armel.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_armel.deb

HP Precision:

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_hppa.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_hppa.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_hppa.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_hppa.deb

Intel IA-32:

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_i386.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_i386.deb

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_i386.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_i386.deb

Intel IA-64:

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_ia64.deb

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_ia64.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_ia64.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_ia64.deb

Big-endian MIPS:

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_mips.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_mips.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_mips.deb

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_mips.deb

PowerPC:

http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_powerpc.deb

http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_powerpc.deb

http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_powerpc.deb

http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_powerpc.deb

MD5 checksums of the listed files are available in the original advisory.

This page is also available in the following languages:

dansk 日本語 (Nihongo) svenska

How to set the default document language