Debian Bug report logs - #566775
pidgin: CVE-2010-0277 denial-of-service

version graph

Package: pidgin; Maintainer for pidgin is Ari Pollak <ari@debian.org>; Source for pidgin is src:pidgin.

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 25 Jan 2010 02:21:01 UTC

Severity: important

Tags: security

Found in version pidgin/2.6.5-2

Fixed in versions pidgin/2.6.6-1, pidgin/2.4.3-4lenny6

Done: Ari Pollak <ari@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#566775; Package pidgin. (Mon, 25 Jan 2010 02:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Ari Pollak <ari@debian.org>. (Mon, 25 Jan 2010 02:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: pidgin: CVE-2010-0277 denial-of-service
Date: Sun, 24 Jan 2010 21:18:42 -0500
Package: pidgin
Version: 2.6.5-2
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) id was
published for pidgin.

CVE-2010-0277[0]:
| slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and
| Adium 1.3.8 allows remote attackers to cause a denial of service
| (memory corruption) or possibly have unspecified other impact via
| unknown vectors, a different issue than CVE-2010-0013.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277
    http://security-tracker.debian.org/tracker/CVE-2010-0277




Reply sent to Ari Pollak <ari@debian.org>:
You have taken responsibility. (Thu, 18 Feb 2010 15:57:09 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Thu, 18 Feb 2010 15:57:10 GMT) Full text and rfc822 format available.

Message #10 received at 566775-close@bugs.debian.org (full text, mbox):

From: Ari Pollak <ari@debian.org>
To: 566775-close@bugs.debian.org
Subject: Bug#566775: fixed in pidgin 2.6.6-1
Date: Thu, 18 Feb 2010 15:53:04 +0000
Source: pidgin
Source-Version: 2.6.6-1

We believe that the bug you reported is fixed in the latest version of
pidgin, which is due to be installed in the Debian FTP archive:

finch-dev_2.6.6-1_all.deb
  to main/p/pidgin/finch-dev_2.6.6-1_all.deb
finch_2.6.6-1_amd64.deb
  to main/p/pidgin/finch_2.6.6-1_amd64.deb
libpurple-bin_2.6.6-1_all.deb
  to main/p/pidgin/libpurple-bin_2.6.6-1_all.deb
libpurple-dev_2.6.6-1_all.deb
  to main/p/pidgin/libpurple-dev_2.6.6-1_all.deb
libpurple0_2.6.6-1_amd64.deb
  to main/p/pidgin/libpurple0_2.6.6-1_amd64.deb
pidgin-data_2.6.6-1_all.deb
  to main/p/pidgin/pidgin-data_2.6.6-1_all.deb
pidgin-dbg_2.6.6-1_amd64.deb
  to main/p/pidgin/pidgin-dbg_2.6.6-1_amd64.deb
pidgin-dev_2.6.6-1_all.deb
  to main/p/pidgin/pidgin-dev_2.6.6-1_all.deb
pidgin_2.6.6-1.debian.tar.gz
  to main/p/pidgin/pidgin_2.6.6-1.debian.tar.gz
pidgin_2.6.6-1.dsc
  to main/p/pidgin/pidgin_2.6.6-1.dsc
pidgin_2.6.6-1_amd64.deb
  to main/p/pidgin/pidgin_2.6.6-1_amd64.deb
pidgin_2.6.6.orig.tar.bz2
  to main/p/pidgin/pidgin_2.6.6.orig.tar.bz2



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 566775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated pidgin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Tue, 16 Feb 2010 16:50:02 -0500
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev libpurple-dev libpurple-bin
Architecture: source all amd64
Version: 2.6.6-1
Distribution: unstable
Urgency: high
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description: 
 finch      - text-based multi-protocol instant messaging client
 finch-dev  - text-based multi-protocol instant messaging client - development
 libpurple-bin - multi-protocol instant messaging library - extra utilities
 libpurple-dev - multi-protocol instant messaging library - development files
 libpurple0 - multi-protocol instant messaging library
 pidgin     - graphical multi-protocol instant messaging client for X
 pidgin-data - multi-protocol instant messaging client - data files
 pidgin-dbg - Debugging symbols for Pidgin
 pidgin-dev - multi-protocol instant messaging client - development files
Closes: 566775
Changes: 
 pidgin (2.6.6-1) unstable; urgency=high
 .
   * New upstream release
     - Fixes a remote MSN SLP crash (CVE-2010-0277) (Closes: #566775)
     - Fixes a remote Finch XMPP crash (CVE-2010-0420)
     - Fixes a remote smiley freeze/CPU pegging DoS (CVE-2010-0423)
Checksums-Sha1: 
 33797a5a5fb52cb57d8edbc1d8cc5dbd4cada502 1940 pidgin_2.6.6-1.dsc
 d74459152f9598139a3fd8aee385e3366722155c 9479337 pidgin_2.6.6.orig.tar.bz2
 f393530b9104bb1ff68fd69257c11fffbbb2a634 56621 pidgin_2.6.6-1.debian.tar.gz
 ba300667e73a10d17e64d918bdbf11a29fb2eeef 7954392 pidgin-data_2.6.6-1_all.deb
 faad34ba3427d049d1a0860a72ba963c12b04ca9 1841064 pidgin-dev_2.6.6-1_all.deb
 468269946a55e8b417876c49c54fe686ea4421e6 127696 finch-dev_2.6.6-1_all.deb
 64ea451e787c9bd544c5239385f8820c68195204 283756 libpurple-dev_2.6.6-1_all.deb
 78a03e045854281202221caf0453fcc442d961b0 101350 libpurple-bin_2.6.6-1_all.deb
 e42c2c74cbdce533829f6569ba408c2b1475722b 1979484 libpurple0_2.6.6-1_amd64.deb
 ee888bd71d79f8036e2f4078c4cb64a980806896 783428 pidgin_2.6.6-1_amd64.deb
 a27013c0222fe449b1d42dda68d6675c2ddd42cc 6256694 pidgin-dbg_2.6.6-1_amd64.deb
 501fbfc832208e3ab8d9edb886d6897ca232b8dd 331314 finch_2.6.6-1_amd64.deb
Checksums-Sha256: 
 b1076e3fb3ab1f4efc858ae81077a26fe2121ef4559ca24182533f104e74c771 1940 pidgin_2.6.6-1.dsc
 6ebbe9d339246dfebb244e4c855c4feb678f120d1024ef2ee269e2fde77b2ad9 9479337 pidgin_2.6.6.orig.tar.bz2
 4237a76462927c361efe74ee2a4f91b19a17005914d1611bc0747c67e8c394cd 56621 pidgin_2.6.6-1.debian.tar.gz
 58d7f1894197cc3d5b3a8fd11de82e896b0f8e061416c727e674b5c43a12c7a0 7954392 pidgin-data_2.6.6-1_all.deb
 2b1575c862326952d9fd830a32262a654d62c927381d12304b2fb674242b0fe9 1841064 pidgin-dev_2.6.6-1_all.deb
 2b051aea74ed32bf348bb00740fd499a96839dad5493e4218449af510491502a 127696 finch-dev_2.6.6-1_all.deb
 7e18468ec03571482e44208485ba666c37194182579ab14b84f06d8b0a86aa04 283756 libpurple-dev_2.6.6-1_all.deb
 64521a446161c3714f7eac096b8118cc73d18510d5f8dfbfe5ad5468fec030c0 101350 libpurple-bin_2.6.6-1_all.deb
 1b6362f5d296c0855e5c722c312ecf0c8520696f5a81a70709b0ebd1660ec91a 1979484 libpurple0_2.6.6-1_amd64.deb
 3cdf1b82636fe0062bcb92d23c8d17da0325fbfbc704e718c0a6328710b812f2 783428 pidgin_2.6.6-1_amd64.deb
 bca2538e67fa1fb063baf47d8001ea418202284cb527af07be1595a2665bccbf 6256694 pidgin-dbg_2.6.6-1_amd64.deb
 aed7d7df94bbfbe8dd7982852dcc0d9bc7b29deaad0368c1e26d4fc53ba5f076 331314 finch_2.6.6-1_amd64.deb
Files: 
 5e02517799a6266baaabd417557d995a 1940 net optional pidgin_2.6.6-1.dsc
 b37ab6c52db8355e8c70c044c2ba17c1 9479337 net optional pidgin_2.6.6.orig.tar.bz2
 8bc0002976466ea6fe84d9ff2787232b 56621 net optional pidgin_2.6.6-1.debian.tar.gz
 65e2ee448648323e6e48079286d2a827 7954392 net optional pidgin-data_2.6.6-1_all.deb
 2ebad894dd12696851493c34b7e11b67 1841064 devel optional pidgin-dev_2.6.6-1_all.deb
 4ab133c1fe00c387ff55803b66090f67 127696 devel optional finch-dev_2.6.6-1_all.deb
 5fc616e29d368933b5834360d880e63c 283756 libdevel optional libpurple-dev_2.6.6-1_all.deb
 b5aa34ee52b2c6ab1824d04510236a14 101350 net optional libpurple-bin_2.6.6-1_all.deb
 9d81bb2115b7de6d915e173718583fbd 1979484 net optional libpurple0_2.6.6-1_amd64.deb
 a69e25628cb5d8827f742dc203a9039f 783428 net optional pidgin_2.6.6-1_amd64.deb
 bac2cee051ef9638b7c066c0a18c2eb1 6256694 debug extra pidgin-dbg_2.6.6-1_amd64.deb
 d8d55480b6786593f3860de43957c169 331314 net optional finch_2.6.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEAREDAAYFAkt9RvUACgkQwO+u47cOQDu9DgCgh2BqYKP+Ab7GWIGvRkN8PhfV
LRgAoJzAie4rG4oZHXY4hesIKcIFAjH4
=sUMi
-----END PGP SIGNATURE-----





Reply sent to Ari Pollak <ari@debian.org>:
You have taken responsibility. (Sun, 18 Apr 2010 20:06:10 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Sun, 18 Apr 2010 20:06:10 GMT) Full text and rfc822 format available.

Message #15 received at 566775-close@bugs.debian.org (full text, mbox):

From: Ari Pollak <ari@debian.org>
To: 566775-close@bugs.debian.org
Subject: Bug#566775: fixed in pidgin 2.4.3-4lenny6
Date: Sun, 18 Apr 2010 20:02:47 +0000
Source: pidgin
Source-Version: 2.4.3-4lenny6

We believe that the bug you reported is fixed in the latest version of
pidgin, which is due to be installed in the Debian FTP archive:

finch-dev_2.4.3-4lenny6_all.deb
  to main/p/pidgin/finch-dev_2.4.3-4lenny6_all.deb
finch_2.4.3-4lenny6_amd64.deb
  to main/p/pidgin/finch_2.4.3-4lenny6_amd64.deb
libpurple-bin_2.4.3-4lenny6_all.deb
  to main/p/pidgin/libpurple-bin_2.4.3-4lenny6_all.deb
libpurple-dev_2.4.3-4lenny6_all.deb
  to main/p/pidgin/libpurple-dev_2.4.3-4lenny6_all.deb
libpurple0_2.4.3-4lenny6_amd64.deb
  to main/p/pidgin/libpurple0_2.4.3-4lenny6_amd64.deb
pidgin-data_2.4.3-4lenny6_all.deb
  to main/p/pidgin/pidgin-data_2.4.3-4lenny6_all.deb
pidgin-dbg_2.4.3-4lenny6_amd64.deb
  to main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_amd64.deb
pidgin-dev_2.4.3-4lenny6_all.deb
  to main/p/pidgin/pidgin-dev_2.4.3-4lenny6_all.deb
pidgin_2.4.3-4lenny6.diff.gz
  to main/p/pidgin/pidgin_2.4.3-4lenny6.diff.gz
pidgin_2.4.3-4lenny6.dsc
  to main/p/pidgin/pidgin_2.4.3-4lenny6.dsc
pidgin_2.4.3-4lenny6_amd64.deb
  to main/p/pidgin/pidgin_2.4.3-4lenny6_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 566775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated pidgin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Sun, 14 Feb 2010 15:33:23 -0500
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev libpurple-dev libpurple-bin
Architecture: source all amd64
Version: 2.4.3-4lenny6
Distribution: stable-security
Urgency: medium
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description: 
 finch      - text-based multi-protocol instant messaging client
 finch-dev  - text-based multi-protocol instant messaging client - development
 libpurple-bin - multi-protocol instant messaging library - extra utilities
 libpurple-dev - multi-protocol instant messaging library - development files
 libpurple0 - multi-protocol instant messaging library
 pidgin     - graphical multi-protocol instant messaging client for X
 pidgin-data - multi-protocol instant messaging client - data files
 pidgin-dbg - Debugging symbols for Pidgin
 pidgin-dev - multi-protocol instant messaging client - development files
Closes: 566775
Changes: 
 pidgin (2.4.3-4lenny6) stable-security; urgency=medium
 .
   * Disable MSN entirely, since Microsoft's servers won't work with this
     version anyway; avoids a bunch of MSN-related holes
     (CVE-2010-0277, CVE-2009-3084, CVE-2009-3083) (Closes: #566775)
   * debian/patches/38_CVE-2010-0423.patch:
     - Fixes a remote DoS with too many custom smileys (no CVE yet?)
   * debian/patches/39_CVE-2010-0420:
     - Fixes a remote crash in Finch XMPP (CVE-2010-0420)
Checksums-Sha1: 
 8ba4a22a16f6e53175a600b60e3c93660e87efdf 1784 pidgin_2.4.3-4lenny6.dsc
 87b8481ddb9c1242a34141b4efd7c15e98ca3e78 72144 pidgin_2.4.3-4lenny6.diff.gz
 3ad6628a0f42e3b82545c026373068a020ce5a35 7019074 pidgin-data_2.4.3-4lenny6_all.deb
 460d11dc4bcedb164a6f717ff4864d708ca50fe7 193802 pidgin-dev_2.4.3-4lenny6_all.deb
 ce75593e44b73a3180cd35eafdb4ab4d78b73da9 159726 finch-dev_2.4.3-4lenny6_all.deb
 c7381f26e7449da0fa930da51d84bd7e06ea993f 277220 libpurple-dev_2.4.3-4lenny6_all.deb
 e8fa5ad08bfc48784ade2cfa8da3936864e0e592 133894 libpurple-bin_2.4.3-4lenny6_all.deb
 7766661822af6a9c16b23b3a799837eaf29c0d94 1406192 libpurple0_2.4.3-4lenny6_amd64.deb
 c0847319eefcd9bc7052c68b6c32d1f1ed0b5bf6 727918 pidgin_2.4.3-4lenny6_amd64.deb
 91050cf012b880830537a206c91859fbdb7a2319 5067988 pidgin-dbg_2.4.3-4lenny6_amd64.deb
 a953ed230afb466b071b73f9b9e40579bb8410fc 348062 finch_2.4.3-4lenny6_amd64.deb
Checksums-Sha256: 
 114826484725bba9e53323cfdb6f6d6a7485e7a2397e7c7da1267568627d4ae4 1784 pidgin_2.4.3-4lenny6.dsc
 d346de4c6327db22470ee6ccd88e7a8f8ca2bc814cae21bc7a1f55d96721ff86 72144 pidgin_2.4.3-4lenny6.diff.gz
 41ebccc101fa58324dd591a7b05d9b375adf61a133572521150aae929ec27eaa 7019074 pidgin-data_2.4.3-4lenny6_all.deb
 951fa96a2644c2d538621100d9d55c3107cd533f1fd9d3441101c1eb5721c988 193802 pidgin-dev_2.4.3-4lenny6_all.deb
 ed4e81175b9f8a01f152d376a7be48b626c3785c2bcfce7699b697985867d18d 159726 finch-dev_2.4.3-4lenny6_all.deb
 f9d6579cca9ba4cef47e5155d31ecd9dfce134557058e75a5cd3ddfb2bafbc6f 277220 libpurple-dev_2.4.3-4lenny6_all.deb
 9a3a92652863434bdd28860be81f50a0f0947c9b13ea04cbd16476c5737a3c59 133894 libpurple-bin_2.4.3-4lenny6_all.deb
 abaed1b1f3b6bd3a28e53d7bf0e12be4a7efe8128e1603e58d1439e71258a250 1406192 libpurple0_2.4.3-4lenny6_amd64.deb
 5cf53f88fd0f9b1cb20ba5c9990a44ce115d4542d611ab694ae73b0fb725c06f 727918 pidgin_2.4.3-4lenny6_amd64.deb
 98985f1c062d352277d7dba6b2ae20dd8f27d3264fea563d9349d9728cce0a50 5067988 pidgin-dbg_2.4.3-4lenny6_amd64.deb
 713a3cb879a9ccfc200984c2e72d9b701241056d23a38f338c201ef4b1eb1b7c 348062 finch_2.4.3-4lenny6_amd64.deb
Files: 
 f640f8119ef901c7be009232c6dfee05 1784 net optional pidgin_2.4.3-4lenny6.dsc
 85217de41bcd069748eb441886cdfab9 72144 net optional pidgin_2.4.3-4lenny6.diff.gz
 1c79c0da4c115e2699d577b957c4e541 7019074 net optional pidgin-data_2.4.3-4lenny6_all.deb
 b05666d23964d0d28646dc49a85de940 193802 devel optional pidgin-dev_2.4.3-4lenny6_all.deb
 c657bace836fb1d4f3c04c57bdcd7e19 159726 devel optional finch-dev_2.4.3-4lenny6_all.deb
 9517eadf780382575efcd57ba9dc308b 277220 libdevel optional libpurple-dev_2.4.3-4lenny6_all.deb
 49e2b54dcad5a2b40705478118da2d72 133894 net optional libpurple-bin_2.4.3-4lenny6_all.deb
 68711767e43c6a0722b8b4d5ed59843a 1406192 net optional libpurple0_2.4.3-4lenny6_amd64.deb
 e6447c0efc4f5c490bc806f00840b075 727918 net optional pidgin_2.4.3-4lenny6_amd64.deb
 c430e8ff4e8b13830c71da4f6948a4f6 5067988 net extra pidgin-dbg_2.4.3-4lenny6_amd64.deb
 042092eae5df409b1b39ae96a6a5b856 348062 net optional finch_2.4.3-4lenny6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkt6/38ACgkQwO+u47cOQDuEwQCaA8sDwqMfNIrqW9P7JOtaoiz3
vDAAni91X4zZgKAs0736u3z0MJfWWdC6
=wRQP
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 May 2010 07:35:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 25 09:25:19 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.