Gerfried Fuchs uploaded new packages for pidgin which fixed the following security problems: CVE-2009-1373 Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (formerly Gaim) before 2.5.6 allows remote authenticated users to execute arbitrary code via vectors involving an outbound XMPP file transfer. CVE-2009-1374 Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim) before 2.5.6 allows remote attackers to cause a denial of service (application crash) via a QQ packet. CVE-2009-1375 The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2.5.6 does not properly maintain a certain buffer, which allows remote attackers to cause a denial of service (memory corruption and application crash) via vectors involving the (1) XMPP or (2) Sametime protocol. CVE-2009-1376 Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927. CVE-2009-1889, Debian Bug #535790 The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets the ICQWebMessage message type as the ICQSMS message type, which allows remote attackers to cause a denial of service (application crash) via a crafted ICQ web message that triggers allocation of a large amount of memory. For the lenny-backports distribution the problems (with the exception of CVE-2009-1889) have been fixed in version 2.4.3-4lenny2. For the squeeze and sid distributions the problems have been fixed in version 2.5.8-1. Upgrade instructions -------------------- If you don't use pinning (see [1]) you have to update the packages manually via "apt-get -t etch-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.org/dokuwiki/doku.php?id=instructions> We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically: Package: * Pin: release a=etch-backports Pin-Priority: 200
Attachment:
signature.asc
Description: Digital signature