Date: Thu, 20 Aug 2009 18:09:44 GMT From: Armin Pirkovitsch <armin@frozen-zone.org> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/137997: vuxml update (for pidgin) Message-ID: <200908201809.n7KI9iDV035571@www.freebsd.org> Resent-Message-ID: <200908201810.n7KIA633045173@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 137997 >Category: ports >Synopsis: vuxml update (for pidgin) >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Thu Aug 20 18:10:06 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Armin Pirkovitsch >Release: 8.0 Current >Organization: >Environment: >Description: Latest known vulnerability for pidgin: http://www.pidgin.im/news/security/?id=34 http://secunia.com/advisories/36384/ >How-To-Repeat: >Fix: Patch attached with submission follows: --- vuln.xml.orig 2009-08-20 12:24:50.000000000 +0200 +++ vuln.xml 2009-08-20 19:52:31.000000000 +0200 @@ -917,45 +917,33 @@ <name>pidgin</name> <name>libpurple</name> <name>finch</name> - <range><lt>2.5.6</lt></range> + <range><lt>2.5.9</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> - <blockquote cite="http://secunia.com/advisories/35194/"> - <p>Some vulnerabilities and weaknesses have been reported in Pidgin, - which can be exploited by malicious people to cause a DoS or to - potentially compromise a user's system.</p> - <p>A truncation error in the processing of MSN SLP messages can be - exploited to cause a buffer overflow.</p> - <p>A boundary error in the XMPP SOCKS5 "bytestream" server when - initiating an outgoing file transfer can be exploited to cause a - buffer overflow.</p> - <p>A boundary error exists in the implementation of the - "PurpleCircBuffer" structure. This can be exploited to corrupt memory - and cause a crash via specially crafted XMPP or Sametime - packets.</p> - <p>A boundary error in the "decrypt_out()" function can be exploited - to cause a stack-based buffer overflow with 8 bytes and crash the - application via a specially crafted QQ packet.</p> + <blockquote cite="http://secunia.com/advisories/36384/"> + <p>A vulnerability has been reported in Pidgin, which can be exploited + by malicious people to potentially compromise a user's system.</p> + <p>The vulnerability is caused due to an error in the + "msn_slplink_process_msg()" function when processing MSN SLP messages + and can be exploited to corrupt memory.</p> + <p>Successful exploitation may allow execution of arbitrary code.</p> + <p>The vulnerability is reported in versions 2.5.8 and prior. Other + versions may also be affected.</p> </blockquote> </body> </description> <references> <bid>35067</bid> - <cvename>CVE-2009-1373</cvename> - <cvename>CVE-2009-1374</cvename> - <cvename>CVE-2009-1375</cvename> - <cvename>CVE-2009-1376</cvename> - <url>http://secunia.com/advisories/35194/</url> - <url>http://www.pidgin.im/news/security/?id=29</url> - <url>http://www.pidgin.im/news/security/?id=30</url> - <url>http://www.pidgin.im/news/security/?id=32</url> + <cvename>CVE-2009-2694</cvename> + <url>http://secunia.com/advisories/36384/</url> + <url>http://www.pidgin.im/news/security/?id=34</url> </references> <dates> - <discovery>2009-06-03</discovery> - <entry>2009-06-16</entry> + <discovery>2009-08-18</discovery> + <entry>2009-08-20</entry> </dates> </vuln> >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200908201809.n7KI9iDV035571>