CVE-2009-2694 Security vulnerability in pidgin < 2.5.9
Bug #416306 reported by
aus
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Pidgin |
Fix Released
|
Undecided
|
Unassigned | ||
pidgin (Debian) |
Fix Released
|
Unknown
|
|||
pidgin (Fedora) |
Fix Released
|
Critical
|
|||
pidgin (Gentoo Linux) |
Fix Released
|
Medium
|
|||
pidgin (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: pidgin
Pidgin <= 2.5.8 is vulnerable to a remote MSN bug. Specially crafted SLP messages can cause a buffer overflow and allow a remote attacker to execute code on the system running pidgin. This does not require the attacker to be on the list of the pidgin user. This is caused by a problem in libpurple <= 2.5.8.
More information can be found on:
http://
http://
http://
Changed in pidgin (Gentoo Linux): | |
status: | Unknown → Confirmed |
visibility: | private → public |
Changed in pidgin: | |
status: | New → Fix Released |
Changed in pidgin (Fedora): | |
status: | Unknown → Fix Released |
Changed in pidgin (Gentoo Linux): | |
status: | Confirmed → In Progress |
Changed in pidgin (Gentoo Linux): | |
status: | In Progress → Fix Released |
Changed in pidgin (Gentoo Linux): | |
importance: | Unknown → Medium |
Changed in pidgin (Fedora): | |
importance: | Unknown → Critical |
To post a comment you must log in.
Core Security Technologies reported that previous upstream fixes addressing insufficient input validation flaw in pidgin / libpurple in function msn_slplink_ process_ msg() are inefficient and can be bypassed. This flaw allows an attacker to overwrite pidgin's memory and possibly execute arbitrary code with the privileges of the user running application using libpurple.
This issue was previously tracked as CVE-2008-2927 (bug #453764) and CVE-2009-1376 (bug #500493, incomplete fix).