ports/135239: [vuxml] net-im/pidgin: document CVE-2009-137[3, 4, 5, 6]
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Thu Jun 4 03:10:02 UTC 2009
>Number: 135239
>Category: ports
>Synopsis: [vuxml] net-im/pidgin: document CVE-2009-137[3,4,5,6]
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 04 03:10:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.2-STABLE amd64
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.2-STABLE amd64
>Description:
Multiple vulnerabilities were fixed in Pidgin 2.5.6: [1], [2], [3], [4].
>How-To-Repeat:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376
>Fix:
FreeBSD port is already at 2.5.6, so it's not currently affected.
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="f05c7f03-5065-11de-9826-001fc66e7203">
<topic>pidgin -- multiple vulnerabilities</topic>
<affects>
<package>
<name>pidgin</name>
<range><lt>2.5.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote
cite="http://secunia.com/advisories/35194/">
<p>Some vulnerabilities and weaknesses have been reported in
Pidgin, which can be exploited by malicious people to cause a
DoS (Denial of Service) or to potentially compromise a user's
system.</p>
<ol>
<li>A truncation error in the processing of MSN SLP messages
can be exploited to cause a buffer overflow.</li>
<li>A boundary error in the XMPP SOCKS5 "bytestream" server
when initiating an outgoing file transfer can be exploited
to cause a buffer overflow.</li>
<li>A boundary error exists in the implementation of the
"PurpleCircBuffer" structure. This can be exploited to
corrupt memory and cause a crash via specially crafted XMPP
or Sametime packets.</li>
<li>A boundary error in the "decrypt_out()" function can be
exploited to cause a stack-based buffer overflow with 8
bytes and crash the application via a specially crafted QQ
packet.</li>
</ol>
<p>Successful exploitation of vulnerabilities #1 and #2 may
allow execution of arbitrary code.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2009-1373</cvename>
<cvename>CVE-2009-1374</cvename>
<cvename>CVE-2009-1375</cvename>
<cvename>CVE-2009-1376</cvename>
<bid>35067</bid>
<url>http://secunia.com/advisories/35194/</url>
</references>
<dates>
<discovery>2009-06-03</discovery>
<entry>TODAY</entry>
</dates>
</vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list