Date: Thu, 4 Jun 2009 07:00:11 +0400 (MSD) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/135239: [vuxml] net-im/pidgin: document CVE-2009-137[3, 4, 5, 6] Message-ID: <20090604030011.CC597B8031@phoenix.codelabs.ru> Resent-Message-ID: <200906040310.n543A1Rb039293@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 135239 >Category: ports >Synopsis: [vuxml] net-im/pidgin: document CVE-2009-137[3,4,5,6] >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jun 04 03:10:00 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.2-STABLE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.2-STABLE amd64 >Description: Multiple vulnerabilities were fixed in Pidgin 2.5.6: [1], [2], [3], [4]. >How-To-Repeat: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375 [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376 >Fix: FreeBSD port is already at 2.5.6, so it's not currently affected. The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid="f05c7f03-5065-11de-9826-001fc66e7203"> <topic>pidgin -- multiple vulnerabilities</topic> <affects> <package> <name>pidgin</name> <range><lt>2.5.6</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/advisories/35194/"> <p>Some vulnerabilities and weaknesses have been reported in Pidgin, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a user's system.</p> <ol> <li>A truncation error in the processing of MSN SLP messages can be exploited to cause a buffer overflow.</li> <li>A boundary error in the XMPP SOCKS5 "bytestream" server when initiating an outgoing file transfer can be exploited to cause a buffer overflow.</li> <li>A boundary error exists in the implementation of the "PurpleCircBuffer" structure. This can be exploited to corrupt memory and cause a crash via specially crafted XMPP or Sametime packets.</li> <li>A boundary error in the "decrypt_out()" function can be exploited to cause a stack-based buffer overflow with 8 bytes and crash the application via a specially crafted QQ packet.</li> </ol> <p>Successful exploitation of vulnerabilities #1 and #2 may allow execution of arbitrary code.</p> </blockquote> </body> </description> <references> <cvename>CVE-2009-1373</cvename> <cvename>CVE-2009-1374</cvename> <cvename>CVE-2009-1375</cvename> <cvename>CVE-2009-1376</cvename> <bid>35067</bid> <url>http://secunia.com/advisories/35194/</url> </references> <dates> <discovery>2009-06-03</discovery> <entry>TODAY</entry> </dates> </vuln> --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090604030011.CC597B8031>