Security Advisory Important: pidgin security and bug fix update

Advisory: RHSA-2008:0584-2
Type: Security Advisory
Severity: Important
Issued on: 2008-07-09
Last updated on: 2008-07-09
Affected Products: RHEL Desktop Workstation (v. 5 client)
RHEL Optional Productivity Applications (v. 5 server)
Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080584.xml
CVEs (cve.mitre.org): CVE-2008-2927

Details

Updated Pidgin packages that fix a security issue and address a bug are now
available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Pidgin is a multi-protocol Internet Messaging client.

An integer overflow flaw was found in Pidgin's MSN protocol handler. If a
user received a malicious MSN message, it was possible to execute arbitrary
code with the permissions of the user running Pidgin. (CVE-2008-2927)

Note: the default Pidgin privacy setting only allows messages from users in
the buddy list. This prevents arbitrary MSN users from exploiting this
flaw.

This update also addresses the following bug:

* when attempting to connect to the ICQ network, Pidgin would fail to
connect, present an alert saying the "The client version you are using is
too old", and de-activate the ICQ account. This update restores Pidgin's
ability to connect to the ICQ network.

All Pidgin users should upgrade to these updated packages, which contain
backported patches to resolve these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

RHEL Desktop Workstation (v. 5 client)
IA-32:
finch-devel-2.3.1-2.el5_2.i386.rpm     69971e840d25ea7645a86f5750345287
libpurple-devel-2.3.1-2.el5_2.i386.rpm     e2c3a5df3b75300dcde2f852bada9f45
pidgin-devel-2.3.1-2.el5_2.i386.rpm     043bda52f97c8822beef5b80d3423004
 
x86_64:
finch-devel-2.3.1-2.el5_2.i386.rpm     69971e840d25ea7645a86f5750345287
finch-devel-2.3.1-2.el5_2.x86_64.rpm     b05b2a2a44d39c853b53a755771af0c7
libpurple-devel-2.3.1-2.el5_2.i386.rpm     e2c3a5df3b75300dcde2f852bada9f45
libpurple-devel-2.3.1-2.el5_2.x86_64.rpm     e47fadecff83ca013d9b239c111f077b
pidgin-devel-2.3.1-2.el5_2.i386.rpm     043bda52f97c8822beef5b80d3423004
pidgin-devel-2.3.1-2.el5_2.x86_64.rpm     aed7eb048bdd807e81149ec66b236f5b
 
RHEL Optional Productivity Applications (v. 5 server)
SRPMS:
pidgin-2.3.1-2.el5_2.src.rpm     f509aa221118d1ca3c6729a369d81d7a
 
IA-32:
finch-2.3.1-2.el5_2.i386.rpm     0b555f3c4a2a9d3424167881788c5c8b
finch-devel-2.3.1-2.el5_2.i386.rpm     69971e840d25ea7645a86f5750345287
libpurple-2.3.1-2.el5_2.i386.rpm     bb12cf3feb5c62c24eb71ae52dc8b121
libpurple-devel-2.3.1-2.el5_2.i386.rpm     e2c3a5df3b75300dcde2f852bada9f45
libpurple-perl-2.3.1-2.el5_2.i386.rpm     41fa200185f78154c5f572888350ee49
libpurple-tcl-2.3.1-2.el5_2.i386.rpm     87797e080a3c1ff735dae93ac969b7de
pidgin-2.3.1-2.el5_2.i386.rpm     431d6391f0f011e13ae6afe47c6b36a1
pidgin-devel-2.3.1-2.el5_2.i386.rpm     043bda52f97c8822beef5b80d3423004
pidgin-perl-2.3.1-2.el5_2.i386.rpm     842330e5e5ed147eb5202f7f958e7419
 
x86_64:
finch-2.3.1-2.el5_2.i386.rpm     0b555f3c4a2a9d3424167881788c5c8b
finch-2.3.1-2.el5_2.x86_64.rpm     61ec20e07cf68f9568739891c03c99e7
finch-devel-2.3.1-2.el5_2.i386.rpm     69971e840d25ea7645a86f5750345287
finch-devel-2.3.1-2.el5_2.x86_64.rpm     b05b2a2a44d39c853b53a755771af0c7
libpurple-2.3.1-2.el5_2.i386.rpm     bb12cf3feb5c62c24eb71ae52dc8b121
libpurple-2.3.1-2.el5_2.x86_64.rpm     e4c22210cd1b3fa352137997ffd2f10e
libpurple-devel-2.3.1-2.el5_2.i386.rpm     e2c3a5df3b75300dcde2f852bada9f45
libpurple-devel-2.3.1-2.el5_2.x86_64.rpm     e47fadecff83ca013d9b239c111f077b
libpurple-perl-2.3.1-2.el5_2.x86_64.rpm     5325a149b7be5608a10e705ae8ea273f
libpurple-tcl-2.3.1-2.el5_2.x86_64.rpm     736c95116a614cebc71bf3cb89a511c6
pidgin-2.3.1-2.el5_2.i386.rpm     431d6391f0f011e13ae6afe47c6b36a1
pidgin-2.3.1-2.el5_2.x86_64.rpm     60cc0e9fb4308010eaae866deddb0a3e
pidgin-devel-2.3.1-2.el5_2.i386.rpm     043bda52f97c8822beef5b80d3423004
pidgin-devel-2.3.1-2.el5_2.x86_64.rpm     aed7eb048bdd807e81149ec66b236f5b
pidgin-perl-2.3.1-2.el5_2.x86_64.rpm     968b0a5920627825e588e6982a7db57f
 
Red Hat Desktop (v. 3)
SRPMS:
pidgin-1.5.1-2.el3.src.rpm     a8dd594a135a0707379a21d5cf541269
 
IA-32:
pidgin-1.5.1-2.el3.i386.rpm     3cd2518497f851f065fe7187866d4efd
 
x86_64:
pidgin-1.5.1-2.el3.x86_64.rpm     c465137c156cd7e0d34448731b50ad2b
 
Red Hat Desktop (v. 4)
SRPMS:
pidgin-1.5.1-2.el4.src.rpm
File outdated by:  RHBA-2008:0775		     71b3546de412c43ee1a6f9c83986f2be
 
IA-32:
pidgin-1.5.1-2.el4.i386.rpm
File outdated by:  RHBA-2008:0775		     acbcebdf818b6525d27a9a2e5bb202a2
 
x86_64:
pidgin-1.5.1-2.el4.x86_64.rpm
File outdated by:  RHBA-2008:0775		     49e0aee8ef7ae30f86bbcbb2fa562dd8
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
pidgin-1.5.1-2.el3.src.rpm     a8dd594a135a0707379a21d5cf541269
 
IA-32:
pidgin-1.5.1-2.el3.i386.rpm     3cd2518497f851f065fe7187866d4efd
 
IA-64:
pidgin-1.5.1-2.el3.ia64.rpm     22f8ed905eef43f8ed131f90c117fae6
 
PPC:
pidgin-1.5.1-2.el3.ppc.rpm     c91b78fb62fae03fc0a06c041f4f2c25
 
s390:
pidgin-1.5.1-2.el3.s390.rpm     ab3c318326b9fdef1de427bbea1c2e0d
 
s390x:
pidgin-1.5.1-2.el3.s390x.rpm     1cdee972acb84447e5437d4156aaefb9
 
x86_64:
pidgin-1.5.1-2.el3.x86_64.rpm     c465137c156cd7e0d34448731b50ad2b
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
pidgin-1.5.1-2.el4.src.rpm
File outdated by:  RHBA-2008:0775		     71b3546de412c43ee1a6f9c83986f2be
 
IA-32:
pidgin-1.5.1-2.el4.i386.rpm
File outdated by:  RHBA-2008:0775		     acbcebdf818b6525d27a9a2e5bb202a2
 
IA-64:
pidgin-1.5.1-2.el4.ia64.rpm
File outdated by:  RHBA-2008:0775		     4f77b0b92028eac20afbad04e884d8d1
 
PPC:
pidgin-1.5.1-2.el4.ppc.rpm
File outdated by:  RHBA-2008:0775		     e717c186310ad1db142c898d16cdd462
 
s390:
pidgin-1.5.1-2.el4.s390.rpm
File outdated by:  RHBA-2008:0775		     4ad712670ff7dad964b1deeb75633adf
 
s390x:
pidgin-1.5.1-2.el4.s390x.rpm
File outdated by:  RHBA-2008:0775		     5f68b6982736616f7c11152de5e080ff
 
x86_64:
pidgin-1.5.1-2.el4.x86_64.rpm
File outdated by:  RHBA-2008:0775		     49e0aee8ef7ae30f86bbcbb2fa562dd8
 
Red Hat Enterprise Linux Desktop (v. 5 client)
SRPMS:
pidgin-2.3.1-2.el5_2.src.rpm     f509aa221118d1ca3c6729a369d81d7a
 
IA-32:
finch-2.3.1-2.el5_2.i386.rpm     0b555f3c4a2a9d3424167881788c5c8b
libpurple-2.3.1-2.el5_2.i386.rpm     bb12cf3feb5c62c24eb71ae52dc8b121
libpurple-perl-2.3.1-2.el5_2.i386.rpm     41fa200185f78154c5f572888350ee49
libpurple-tcl-2.3.1-2.el5_2.i386.rpm     87797e080a3c1ff735dae93ac969b7de
pidgin-2.3.1-2.el5_2.i386.rpm     431d6391f0f011e13ae6afe47c6b36a1
pidgin-perl-2.3.1-2.el5_2.i386.rpm     842330e5e5ed147eb5202f7f958e7419
 
x86_64:
finch-2.3.1-2.el5_2.i386.rpm     0b555f3c4a2a9d3424167881788c5c8b
finch-2.3.1-2.el5_2.x86_64.rpm     61ec20e07cf68f9568739891c03c99e7
libpurple-2.3.1-2.el5_2.i386.rpm     bb12cf3feb5c62c24eb71ae52dc8b121
libpurple-2.3.1-2.el5_2.x86_64.rpm     e4c22210cd1b3fa352137997ffd2f10e
libpurple-perl-2.3.1-2.el5_2.x86_64.rpm     5325a149b7be5608a10e705ae8ea273f
libpurple-tcl-2.3.1-2.el5_2.x86_64.rpm     736c95116a614cebc71bf3cb89a511c6
pidgin-2.3.1-2.el5_2.i386.rpm     431d6391f0f011e13ae6afe47c6b36a1
pidgin-2.3.1-2.el5_2.x86_64.rpm     60cc0e9fb4308010eaae866deddb0a3e
pidgin-perl-2.3.1-2.el5_2.x86_64.rpm     968b0a5920627825e588e6982a7db57f
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
pidgin-1.5.1-2.el3.src.rpm     a8dd594a135a0707379a21d5cf541269
 
IA-32:
pidgin-1.5.1-2.el3.i386.rpm     3cd2518497f851f065fe7187866d4efd
 
IA-64:
pidgin-1.5.1-2.el3.ia64.rpm     22f8ed905eef43f8ed131f90c117fae6
 
x86_64:
pidgin-1.5.1-2.el3.x86_64.rpm     c465137c156cd7e0d34448731b50ad2b
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
pidgin-1.5.1-2.el4.src.rpm
File outdated by:  RHBA-2008:0775		     71b3546de412c43ee1a6f9c83986f2be
 
IA-32:
pidgin-1.5.1-2.el4.i386.rpm
File outdated by:  RHBA-2008:0775		     acbcebdf818b6525d27a9a2e5bb202a2
 
IA-64:
pidgin-1.5.1-2.el4.ia64.rpm
File outdated by:  RHBA-2008:0775		     4f77b0b92028eac20afbad04e884d8d1
 
x86_64:
pidgin-1.5.1-2.el4.x86_64.rpm
File outdated by:  RHBA-2008:0775		     49e0aee8ef7ae30f86bbcbb2fa562dd8
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
pidgin-1.5.1-2.el3.src.rpm     a8dd594a135a0707379a21d5cf541269
 
IA-32:
pidgin-1.5.1-2.el3.i386.rpm     3cd2518497f851f065fe7187866d4efd
 
IA-64:
pidgin-1.5.1-2.el3.ia64.rpm     22f8ed905eef43f8ed131f90c117fae6
 
x86_64:
pidgin-1.5.1-2.el3.x86_64.rpm     c465137c156cd7e0d34448731b50ad2b
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
pidgin-1.5.1-2.el4.src.rpm
File outdated by:  RHBA-2008:0775		     71b3546de412c43ee1a6f9c83986f2be
 
IA-32:
pidgin-1.5.1-2.el4.i386.rpm
File outdated by:  RHBA-2008:0775		     acbcebdf818b6525d27a9a2e5bb202a2
 
IA-64:
pidgin-1.5.1-2.el4.ia64.rpm
File outdated by:  RHBA-2008:0775		     4f77b0b92028eac20afbad04e884d8d1
 
x86_64:
pidgin-1.5.1-2.el4.x86_64.rpm
File outdated by:  RHBA-2008:0775		     49e0aee8ef7ae30f86bbcbb2fa562dd8
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

453634 - RHEL5 - Fix ICQ login
453764 - CVE-2008-2927 pidgin MSN integer overflow
453773 - RHEL4 - Fix ICQ login
453774 - RHEL3 - Fix ICQ login


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/