Debians sikkerhedsbulletin
DSA-1870-1 pidgin -- utilstrækkelig fornuftighedskontrol af inddata
- Rapporteret den:
- 19. aug 2009
- Berørte pakker:
- pidgin
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2009-2694.
- Yderligere oplysninger:
-
Federico Muttis opdagede at libpurple, der er et delt bibliotek, som leverer understøttelse af forskellige chatnetværk til chatklienten pidgin, var sårbart over for et heap-baseret bufferoverløb. Problemet findes, på grund af en ufuldstændig rettelse af CVE-2008-2927 og CVE-2009-1376. En angriber kunne udnytte dette ved at sende to på hinanden følgende SLP-pakker til et offer via MSN.
Den første pakke blev anvendt til at oprette et SLP-meddelelsesobjekt med et offset på nul, og den anden pakke indeholdt et fabrikeret offset, der ramte den sårbare kode oprindeligt rettet i CVE-2008-2927 og CVE-2009-1376, og gjorde det muligt for en angriber at udføre vilkårlig kode.
Bemærk: Brugere med indstillingen "Allow only the users below" er ikke sårbare over for angrebet. Hvis du ikke kan installere de nedenfor nævnte opdateringer, vil det måske være en god idé at foretage denne opsætningsændring via Tools->Privacy.
I den stabile distribution (lenny), er dette problem rettet i version 2.4.3-4lenny3.
I distributionen testing (squeeze), vil dette problem snart blive rettet.
I den ustabile distribution (sid), er dette problem rettet i version 2.5.9-1.
Vi anbefaler at du opgraderer dine pidgin-pakker.
- Rettet i:
-
Debian GNU/Linux 5.0 (lenny)
- Kildekode:
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.dsc
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.diff.gz
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3.dsc
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny3_all.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny3_all.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny3_all.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny3_all.deb
- http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny3_all.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny3_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_alpha.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_alpha.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_alpha.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_alpha.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_amd64.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_amd64.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_amd64.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_amd64.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_arm.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_arm.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_arm.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_arm.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_arm.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_armel.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_armel.deb
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_armel.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_armel.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_hppa.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_hppa.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_hppa.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_hppa.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_i386.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_i386.deb
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_i386.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_i386.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_ia64.deb
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_ia64.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_ia64.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_ia64.deb
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_ia64.deb
- Big-endian MIPS:
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_mips.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_mips.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_mips.deb
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_mips.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_mips.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny3_powerpc.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_powerpc.deb
- http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny3_powerpc.deb
- http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny3_powerpc.deb
- http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny3_powerpc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.