============================================================================ Ubuntu Security Notice USN-2100-1 February 06, 2014 pidgin vulnerabilities ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS Summary: Several security issues were fixed in Pidgin. Software Description: - pidgin: graphical multi-protocol instant messaging client for X Details: Thijs Alkemade and Robert Vehse discovered that Pidgin incorrectly handled the Yahoo! protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2012-6152) Jaime Breva Ribes discovered that Pidgin incorrectly handled the XMPP protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6477) It was discovered that Pidgin incorrecly handled long URLs. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6478) Jacob Appelbaum discovered that Pidgin incorrectly handled certain HTTP responses. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6479) Daniel Atallah discovered that Pidgin incorrectly handled the Yahoo! protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6481) Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin incorrectly handled the MSN protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6482) Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin incorrectly handled XMPP iq replies. A remote attacker could use this issue to spoof messages. (CVE-2013-6483) It was discovered that Pidgin incorrectly handled STUN server responses. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6484) Matt Jones discovered that Pidgin incorrectly handled certain chunked HTTP responses. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6485) Yves Younan and Ryan Pentney discovered that Pidgin incorrectly handled certain Gadu-Gadu HTTP messages. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6487) Yves Younan and Pawel Janic discovered that Pidgin incorrectly handled MXit emoticons. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6489) Yves Younan discovered that Pidgin incorrectly handled SIMPLE headers. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6490) Daniel Atallah discovered that Pidgin incorrectly handled IRC argument parsing. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2014-0020) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 13.10: libpurple0 1:2.10.7-0ubuntu4.1.13.10.1 pidgin 1:2.10.7-0ubuntu4.1.13.10.1 Ubuntu 12.10: libpurple0 1:2.10.6-0ubuntu2.3 pidgin 1:2.10.6-0ubuntu2.3 Ubuntu 12.04 LTS: libpurple0 1:2.10.3-0ubuntu1.4 pidgin 1:2.10.3-0ubuntu1.4 After a standard system update you need to restart Pidgin to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-2100-1 CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6482, CVE-2013-6483, CVE-2013-6484, CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490, CVE-2014-0020 Package Information: https://launchpad.net/ubuntu/+source/pidgin/1:2.10.7-0ubuntu4.1.13.10.1 https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.3 https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.4