==========================================================================
Ubuntu Security Notice USN-2390-1
October 28, 2014

pidgin vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 14.10
– Ubuntu 14.04 LTS
– Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Pidgin.

Software Description:
– pidgin: graphical multi-protocol instant messaging client for X

Details:

Jacob Appelbaum and an anonymous person discovered that Pidgin incorrectly
handled certificate validation. A remote attacker could exploit this to
perform a man in the middle attack to view sensitive information or alter
encrypted communications. (CVE-2014-3694)

Yves Younan and Richard Johnson discovered that Pidgin incorrectly handled
certain malformed MXit emoticons. A malicious remote server or a man in the
middle could use this issue to cause Pidgin to crash, resulting in a denial
of service. (CVE-2014-3695)

Yves Younan and Richard Johnson discovered that Pidgin incorrectly handled
certain malformed Groupwise messages. A malicious remote server or a man in
the middle could use this issue to cause Pidgin to crash, resulting in a
denial of service. (CVE-2014-3696)

Thijs Alkemade and Paul Aurich discovered that Pidgin incorrectly handled
memory when processing XMPP messages. A malicious remote server or user
could use this issue to cause Pidgin to disclosure arbitrary memory,
resulting in an information leak. (CVE-2014-3698)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
libpurple0 1:2.10.9-0ubuntu7.1
pidgin 1:2.10.9-0ubuntu7.1

Ubuntu 14.04 LTS:
libpurple0 1:2.10.9-0ubuntu3.2
pidgin 1:2.10.9-0ubuntu3.2

Ubuntu 12.04 LTS:
libpurple0 1:2.10.3-0ubuntu1.6
pidgin 1:2.10.3-0ubuntu1.6

After a standard system update you need to restart Pidgin to make all the
necessary changes.

References:
http://www.ubuntu.com/usn/usn-2390-1
CVE-2014-3694, CVE-2014-3695, CVE-2014-3696, CVE-2014-3698

Package Information:
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.9-0ubuntu7.1
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.9-0ubuntu3.2
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.6

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIcBAEBCgAGBQJUT6PAAAoJEGVp2FWnRL6TMakP/0RQhy1WmzITf/fecW+yj3hj
5lzuT2JG3nq5FWZegAUnrBW9KM2ayn52J3nt6TRd/l0GdM+MY5Sxir6iURB1IzcV
RN2hRegxmePnmFXoszrvaRuds/7hTHJHdRcUsfuFasa3AnhV+Vg+wpmBtPq5W60j
aTvJjRq5vFrbAYPxhNBhiCu1AxnL45ZY2tmVydc34J1E7my/RKo09j+hjwi9wEvr
N8xxPdy8JNMTCOHNvZoz/0lGv8SP4A4qVJ9Duu0/FhHKpAPwYNOCGJx0Wb5/oBSj
0zPWFVXc8cydtKxnUIHF9hDUiyCR2B7IXA79TkE9KpQzLHxFyq+LH2OBA7hKI0dl
lZ1F2FetsaJhENO1ejafb9XhfEIgSdyTBo/VrGuNLNwXDJ2/4H4U/euaGLVlNFTf
mZvfqIE6mV8GzWHLGr5/uwiVRC8GVR85Dxvnt+nBwZHWNG2nH8A7dpD9fZ4z50rJ
vYHCOlqKoNJS3KFuz+h2Jml8oNpFPbDITRdFw/3F1/myvlnUzaFKC/ureM2IgAOm
vMEC5ThDAaQMV+Akot5XsxuotqRanzr9QUGElKTiedluR9Jtx7muWvy1TnLna3v+
pL4f6I/lnPRP4wQPRWcS3aUH0QMO1H9z6V9aqMG+YD/97hM2X4jJfSepiknDmogQ
ClAM4mQmwkVZ6Hj0MeGT
=UXnQ
—–END PGP SIGNATURE—–
—