ports/135239: [vuxml] net-im/pidgin: document CVE-2009-137[3, 4, 5, 6]

Thu Jun 4 03:10:02 UTC 2009

>Number:         135239
>Category:       ports
>Synopsis:       [vuxml] net-im/pidgin: document CVE-2009-137[3,4,5,6]
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 04 03:10:00 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Eygene Ryabinkin
>Release:        FreeBSD 7.2-STABLE amd64
>Organization:
Code Labs
>Environment:

System: FreeBSD 7.2-STABLE amd64

>Description:

Multiple vulnerabilities were fixed in Pidgin 2.5.6: [1], [2], [3], [4].

>How-To-Repeat:

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1373
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1374
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1375
[4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376

>Fix:

FreeBSD port is already at 2.5.6, so it's not currently affected.

The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
  <vuln vid="f05c7f03-5065-11de-9826-001fc66e7203">
    <topic>pidgin -- multiple vulnerabilities</topic>
    <affects>
      <package>
        <name>pidgin</name>
        <range><lt>2.5.6</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
        <p>Secunia reports:</p>
        <blockquote
          cite="http://secunia.com/advisories/35194/">
          <p>Some vulnerabilities and weaknesses have been reported in
          Pidgin, which can be exploited by malicious people to cause a
          DoS (Denial of Service) or to potentially compromise a user's
          system.</p>
          <ol>
            <li>A truncation error in the processing of MSN SLP messages
            can be exploited to cause a buffer overflow.</li>
            <li>A boundary error in the XMPP SOCKS5 "bytestream" server
            when initiating an outgoing file transfer can be exploited
            to cause a buffer overflow.</li>
            <li>A boundary error exists in the implementation of the
            "PurpleCircBuffer" structure. This can be exploited to
            corrupt memory and cause a crash via specially crafted XMPP
            or Sametime packets.</li>
            <li>A boundary error in the "decrypt_out()" function can be
            exploited to cause a stack-based buffer overflow with 8
            bytes and crash the application via a specially crafted QQ
            packet.</li>
          </ol>
          <p>Successful exploitation of vulnerabilities #1 and #2 may
          allow execution of arbitrary code.</p>
        </blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2009-1373</cvename>
      <cvename>CVE-2009-1374</cvename>
      <cvename>CVE-2009-1375</cvename>
      <cvename>CVE-2009-1376</cvename>
      <bid>35067</bid>
      <url>http://secunia.com/advisories/35194/</url>
    </references>
    <dates>
      <discovery>2009-06-03</discovery>
      <entry>TODAY</entry>
    </dates>
  </vuln>
--- vuln.xml ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted: