Your message dated Sun, 10 Jan 2010 02:02:59 +0000
with message-id <e1ntn8t-0001jh...@ries.debian.org>
and subject line Bug#563206: fixed in pidgin 2.6.5-1
has caused the Debian Bug report #563206,
regarding pidgin: local file disclosure vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
563206: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563206
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: pidgin
Version: 2.6.4-1
Severity: grave
Tags: security
Hi,
A vulnerability has been discovered in Pidgin.
Here's the description Secunia's SA37953 advisory:
> Fabian Yamaguchi has discovered a vulnerability in Pidgin, which can be
> exploited by malicious people to disclose sensitive information.
>
> The vulnerability is caused due to an error in the implementation of the
> custom smileys feature for MSN. This can be exploited to disclose the
> content of arbitrary files via an MSN emoticon request containing directory
> traversal sequences.
>
> Successful exploitation may require that at least one custom smiley is
> defined.
>
> The vulnerability is confirmed in version 2.6.4. Other versions may also be
> affected.
If you fix this vulnerability please include the CVE id when one is assigned.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
--- Begin Message ---
Source: pidgin
Source-Version: 2.6.5-1
We believe that the bug you reported is fixed in the latest version of
pidgin, which is due to be installed in the Debian FTP archive:
finch-dev_2.6.5-1_all.deb
to main/p/pidgin/finch-dev_2.6.5-1_all.deb
finch_2.6.5-1_amd64.deb
to main/p/pidgin/finch_2.6.5-1_amd64.deb
libpurple-bin_2.6.5-1_all.deb
to main/p/pidgin/libpurple-bin_2.6.5-1_all.deb
libpurple-dev_2.6.5-1_all.deb
to main/p/pidgin/libpurple-dev_2.6.5-1_all.deb
libpurple0_2.6.5-1_amd64.deb
to main/p/pidgin/libpurple0_2.6.5-1_amd64.deb
pidgin-data_2.6.5-1_all.deb
to main/p/pidgin/pidgin-data_2.6.5-1_all.deb
pidgin-dbg_2.6.5-1_amd64.deb
to main/p/pidgin/pidgin-dbg_2.6.5-1_amd64.deb
pidgin-dev_2.6.5-1_all.deb
to main/p/pidgin/pidgin-dev_2.6.5-1_all.deb
pidgin_2.6.5-1.debian.tar.gz
to main/p/pidgin/pidgin_2.6.5-1.debian.tar.gz
pidgin_2.6.5-1.dsc
to main/p/pidgin/pidgin_2.6.5-1.dsc
pidgin_2.6.5-1_amd64.deb
to main/p/pidgin/pidgin_2.6.5-1_amd64.deb
pidgin_2.6.5.orig.tar.bz2
to main/p/pidgin/pidgin_2.6.5.orig.tar.bz2
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 563...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ari Pollak <a...@debian.org> (supplier of updated pidgin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Sat, 09 Jan 2010 14:13:53 -0500
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev
libpurple-dev libpurple-bin
Architecture: source all amd64
Version: 2.6.5-1
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <a...@debian.org>
Changed-By: Ari Pollak <a...@debian.org>
Description:
finch - text-based multi-protocol instant messaging client
finch-dev - text-based multi-protocol instant messaging client - development
libpurple-bin - multi-protocol instant messaging library - extra utilities
libpurple-dev - multi-protocol instant messaging library - development files
libpurple0 - multi-protocol instant messaging library
pidgin - graphical multi-protocol instant messaging client for X
pidgin-data - multi-protocol instant messaging client - data files
pidgin-dbg - Debugging symbols for Pidgin
pidgin-dev - multi-protocol instant messaging client - development files
Closes: 563206
Changes:
pidgin (2.6.5-1) unstable; urgency=low
.
* New upstream release
* debian/patches/CVE-2010-0013.patch:
- Fix MSN local file disclosure vulnerability (Closes: #563206)
(CVE-2010-0013)
Checksums-Sha1:
ac2a1c91d753f4eb6273e6ae49f4d5d1c5f6d7b6 1940 pidgin_2.6.5-1.dsc
e50edbe0fe588d7222d54154942550ef1788b89d 9383600 pidgin_2.6.5.orig.tar.bz2
163bf34640210d8965e1c883701b92270131b49c 56026 pidgin_2.6.5-1.debian.tar.gz
511a02cfed8549953dd6bfcc64125a59d7f63b9d 7408378 pidgin-data_2.6.5-1_all.deb
36d3501739dc915c01b730d81832cd853d2dd5c0 1838344 pidgin-dev_2.6.5-1_all.deb
30658f6083e88a76dd1b245361825aee8d15351c 125618 finch-dev_2.6.5-1_all.deb
21ac8b54c0ad6a23f5dc72818b844fa0905631a8 281508 libpurple-dev_2.6.5-1_all.deb
74a2f3cb3254d035545cfd5d20e0eca65855479f 99206 libpurple-bin_2.6.5-1_all.deb
0534fcb5fad504d2f0a6b67984b9693d68f578e3 1969220 libpurple0_2.6.5-1_amd64.deb
43d3419d94521ba759f2063d46f7085e5372991d 768506 pidgin_2.6.5-1_amd64.deb
b09b3fa47a078fe636fbbe71497d868bd22bd701 6244266 pidgin-dbg_2.6.5-1_amd64.deb
c6a2057aab188a5eb686a303ea718c6c785d0be7 328590 finch_2.6.5-1_amd64.deb
Checksums-Sha256:
39904768e2aeb071ed79fa305598d8df0c543af8c64e2101ccd1df6504487be8 1940
pidgin_2.6.5-1.dsc
3c459e4093fca679591e35ea34da4a0e45b15f2bb7ca00314a1486dc022f3d0e 9383600
pidgin_2.6.5.orig.tar.bz2
3a3ed0118a385c90f490137f89f03b7da44229f00cb590ae2b13628f801510b9 56026
pidgin_2.6.5-1.debian.tar.gz
84bf9a9cff4e13ad1709ba703240945f34e7656adeb0087c1956e716beac5554 7408378
pidgin-data_2.6.5-1_all.deb
3cd2dec632fa9a04c55e04f7057f61aeec2bafa22d5fe3aa4eec605bb6b3c2ad 1838344
pidgin-dev_2.6.5-1_all.deb
583ae58b1a9d573cbb96890dc476e0812a2512e6d00cbd66604060af933ce0a2 125618
finch-dev_2.6.5-1_all.deb
57961976d516b6ef41e73becf9ab4cb1ede5cfeee8c9427959b0328a52dfcd55 281508
libpurple-dev_2.6.5-1_all.deb
63973dd5ffc8666e58282b03446c1980738c4d9114c260c2dbbf124596251649 99206
libpurple-bin_2.6.5-1_all.deb
ebd8971ba64e3bc60a315f16e9a23b08d1c9d8ad31e6299a17377304b5c2333f 1969220
libpurple0_2.6.5-1_amd64.deb
8a66e4c69567f1da50f3f4eb75b4dde72afbfcfed183084e5d44992866f4ecec 768506
pidgin_2.6.5-1_amd64.deb
dc0bbac0816e8527f63d0853e016c27c937e6231c5b7282b3d07c5432843171e 6244266
pidgin-dbg_2.6.5-1_amd64.deb
dca7d5808011e9920aa19e0a29c7bc45082b27a8274ef5abbe6b74a0746e3d8f 328590
finch_2.6.5-1_amd64.deb
Files:
144cad1a6a0857e3c8c3be8b17f8c80e 1940 net optional pidgin_2.6.5-1.dsc
90847ed22ec830db5d9768748812b661 9383600 net optional pidgin_2.6.5.orig.tar.bz2
9814117e3e436a9d77c9904cbaf83d40 56026 net optional
pidgin_2.6.5-1.debian.tar.gz
a249a409821f3357f2c52567978ba92c 7408378 net optional
pidgin-data_2.6.5-1_all.deb
9ee5900ede034a45c303083adfb9c9b7 1838344 devel optional
pidgin-dev_2.6.5-1_all.deb
be2a1d9a2dcd5ce56d761e5797b0c9fb 125618 devel optional
finch-dev_2.6.5-1_all.deb
d72620072635beaea2b097ee8c1583a9 281508 libdevel optional
libpurple-dev_2.6.5-1_all.deb
66cb85c85469beb967d7206afd626bbf 99206 net optional
libpurple-bin_2.6.5-1_all.deb
ef3120a47105545e80e99bc1cc68a496 1969220 net optional
libpurple0_2.6.5-1_amd64.deb
5e7c66778d9286f3cd875e212c431ea1 768506 net optional pidgin_2.6.5-1_amd64.deb
7ad4fed19909f353b2b366414d31e3a5 6244266 debug extra
pidgin-dbg_2.6.5-1_amd64.deb
f5aee7d85cafd4729e4f0251ba2de770 328590 net optional finch_2.6.5-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEAREDAAYFAktJMvoACgkQwO+u47cOQDvE7ACdFWP9yXGb/RL8JoaW6lXhZyb5
OsIAoKAN9BuLHHuWmZ6vfol2cUivmrvy
=n0Yn
-----END PGP SIGNATURE-----
--- End Message ---
