U radu programskog paketa Pidgin uočene su tri sigurnosne ranjivosti koje udaljeni napadači mogu iskoristiti za izvođenje DoS napada (rušenje aplikacije).
Paket:
pidgin 2.x
Operacijski sustavi:
Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6
Kritičnost:
6.5
Problem:
neodgovarajuća provjera ulaznih podataka, pogreška u programskoj komponenti, preljev međuspremnika
Iskorištavanje:
udaljeno
Posljedica:
uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2012-1178, CVE-2012-2318, CVE-2012-3374
Izvorni ID preporuke:
RHSA-2012:1102-01
Izvor:
Red Hat
Problem:
Ranjivosti su posljedica pogreške u obradi teksta koji nije kodiran u UTF-8 i neodgovarajuće provjere ulaznih podataka u dodatku MSN protokola, te prepisivanja spremnika u dodatku MXit protokola.
Posljedica:
Napadačima omogućuju izvođenje DoS napada.
Rješenje:
Svim se korisnicima preporuča instalacija novih programskih rješenja.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: pidgin security update
Advisory ID: RHSA-2012:1102-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-1102.html
Issue date: 2012-07-19
CVE Names: CVE-2012-1178 CVE-2012-2318 CVE-2012-3374
=====================================================================
1. Summary:
Updated pidgin packages that fix three security issues are now available
for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64
3. Description:
Pidgin is an instant messaging program which can log in to multiple
accounts on multiple instant messaging networks simultaneously.
A flaw was found in the way the Pidgin MSN protocol plug-in processed text
that was not encoded in UTF-8. A remote attacker could use this flaw to
crash Pidgin by sending a specially-crafted MSN message. (CVE-2012-1178)
An input validation flaw was found in the way the Pidgin MSN protocol
plug-in handled MSN notification messages. A malicious server or a remote
attacker could use this flaw to crash Pidgin by sending a specially-crafted
MSN notification message. (CVE-2012-2318)
A buffer overflow flaw was found in the Pidgin MXit protocol plug-in. A
remote attacker could use this flaw to crash Pidgin by sending a MXit
message containing specially-crafted emoticon tags. (CVE-2012-3374)
Red Hat would like to thank the Pidgin project for reporting the
CVE-2012-3374 issue. Upstream acknowledges Ulf HÄ
Posljednje sigurnosne preporuke