Actualizacion de Seguridad en Pidgin.

Get #1 Feb '11

Ha habido un fallo en la libreria libpurple de pidgin, que es la misma que tambien usa adiumx de mac, la cual permitia una divulgacion de informacion personal.

Se han actualizado los paquetes para Distribuciones Tipo Slackware desde la version 12.0 hasta la 13.1, se aconseja que quien lo use, haga el upgrade del paquete cuanto antes.

[slackware-security]  pidgin (SSA:2011-055-01)

New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,
and -current to fix a security issue.


Here are the details from the Slackware 13.1 ChangeLog:
+--------------------------+
patches/packages/pidgin-2.7.10-i486-1_slack13.1.txz:  Upgraded.
  Fixed potential information disclosure issue in libpurple.
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

HINT:  Getting slow download speeds from ftp.slackware.com?
Give slackware.osuosl.org a try.  This is another primary FTP site
for Slackware that can be considerably faster than downloading
directly from ftp.slackware.com.

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating additional FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.7.10-i486-1_slack12.0.tgz

Updated package for Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.7.10-i486-1_slack12.1.tgz

Updated package for Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.7.10-i486-1_slack12.2.tgz

Updated package for Slackware 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.7.10-i486-1_slack13.0.txz

Updated package for Slackware x86_64 13.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.7.10-x86_64-1_slack13.0.txz

Updated package for Slackware 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/pidgin-2.7.10-i486-1_slack13.1.txz

Updated package for Slackware x86_64 13.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/pidgin-2.7.10-x86_64-1_slack13.1.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.7.10-i486-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.7.10-x86_64-1.txz


MD5 signatures:
+-------------+

Slackware 12.0 package:
639d14ad11fc7df9a2144d902416dc18  pidgin-2.7.10-i486-1_slack12.0.tgz

Slackware 12.1 package:
1b32b5eea9b036bfcb6700ee53efd8a3  pidgin-2.7.10-i486-1_slack12.1.tgz

Slackware 12.2 package:
e14dc4935ba04824a8212fa6cd200d1b  pidgin-2.7.10-i486-1_slack12.2.tgz

Slackware 13.0 package:
a815411654ae4bade1b2da86fc0a7c2b  pidgin-2.7.10-i486-1_slack13.0.txz

Slackware x86_64 13.0 package:
90ba3fc3a66a9151b58d3c31263d8b76  pidgin-2.7.10-x86_64-1_slack13.0.txz

Slackware 13.1 package:
e28e50c9228699ec3c15a4e9e27bf9ee  pidgin-2.7.10-i486-1_slack13.1.txz

Slackware x86_64 13.1 package:
fd3c6651fc3bfa69c8926989bbad00e4  pidgin-2.7.10-x86_64-1_slack13.1.txz

Slackware -current package:
403d57466d634d06155374aa5509630c  pidgin-2.7.10-i486-1.txz

Slackware x86_64 -current package:
94fa5a028bf5e909b3044f883d404445  pidgin-2.7.10-x86_64-1.txz


Installation instructions:
+------------------------+

Upgrade the package as root:
# upgradepkg pidgin-2.7.10-i486-1_slack13.1.txz 


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

Lo que useis otras distros, verificar vuestro gestor de paquetes en cuestion aver si han sacado ya alguna actualizacion para pidgin.

1

DiSKuN #2 Feb '11 Gafe

Estoy en la oficina, y de momento en la 10.10 de Ubuntu no han lanzado un update

Get #3 Feb '11

lo se, ubuntu duerme como siempre.

El acerca de pidgin me muestra ahora:

Pidgin 2.7.10 (libpurple 2.7.10)
8b9cc64559d1bee0776f9a188fab4db115e309f4

esta es la actual que contiene el fix.

1 respuesta

mTh #4 Feb '11 Frodo Bosón

kopete usa la liberaría esta Get?.

Get #5 Feb '11

creo q no:

get@Valhalla_pre:~$ ldd /usr/bin/kopete
        linux-vdso.so.1 =>  (0x00007fffac5f5000)
        libktexteditor.so.4 => /usr/lib64/libktexteditor.so.4 (0x00007fd521c1c000)
        libknotifyconfig.so.4 => /usr/lib64/libknotifyconfig.so.4 (0x00007fd521a0a000)
        libkde3support.so.4 => /usr/lib64/libkde3support.so.4 (0x00007fd52170c000)
        libkabc.so.4 => /usr/lib64/libkabc.so.4 (0x00007fd521478000)
        libsolid.so.4 => /usr/lib64/libsolid.so.4 (0x00007fd5211df000)
        libqimageblitz.so.4 => /usr/lib64/libqimageblitz.so.4 (0x00007fd520fc5000)
        libkopete.so.4 => /usr/lib64/libkopete.so.4 (0x00007fd520c8a000)
        libkopeteaddaccountwizard.so.1 => /usr/lib64/libkopeteaddaccountwizard.so.1 (0x00007fd520a7f000)
        libkopetestatusmenu.so.1 => /usr/lib64/libkopetestatusmenu.so.1 (0x00007fd52086f000)
        libkopetecontactlist.so.1 => /usr/lib64/libkopetecontactlist.so.1 (0x00007fd520611000)
        libkopeteidentity.so.1 => /usr/lib64/libkopeteidentity.so.1 (0x00007fd5203fd000)
        libkparts.so.4 => /usr/lib64/libkparts.so.4 (0x00007fd5201a2000)
        libQt3Support.so.4 => /usr/lib64/qt/lib/libQt3Support.so.4 (0x00007fd51fc90000)
        libkresources.so.4 => /usr/lib64/libkresources.so.4 (0x00007fd51fa6c000)
        libkio.so.5 => /usr/lib64/libkio.so.5 (0x00007fd51f5c6000)
        libnepomuk.so.4 => /usr/lib64/libnepomuk.so.4 (0x00007fd51f32e000)
        libsoprano.so.4 => /usr/lib64/libsoprano.so.4 (0x00007fd51f03d000)
        libQtNetwork.so.4 => /usr/lib64/qt/lib/libQtNetwork.so.4 (0x00007fd51ed0a000)
        libQtXml.so.4 => /usr/lib64/qt/lib/libQtXml.so.4 (0x00007fd51eac3000)
        libkdeui.so.5 => /usr/lib64/libkdeui.so.5 (0x00007fd51e494000)
        libkdecore.so.5 => /usr/lib64/libkdecore.so.5 (0x00007fd51dfdf000)
        libQtCore.so.4 => /usr/lib64/qt/lib/libQtCore.so.4 (0x00007fd51db54000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fd51d937000)
        libQtDBus.so.4 => /usr/lib64/qt/lib/libQtDBus.so.4 (0x00007fd51d6bd000)
        libQtGui.so.4 => /usr/lib64/qt/lib/libQtGui.so.4 (0x00007fd51c9ec000)
        libQtSvg.so.4 => /usr/lib64/qt/lib/libQtSvg.so.4 (0x00007fd51c791000)
        libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00007fd51c482000)
        libm.so.6 => /lib64/libm.so.6 (0x00007fd51c1ff000)
        libgcc_s.so.1 => /usr/lib64/libgcc_s.so.1 (0x00007fd51bfe9000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fd51bc74000)
        libphonon.so.4 => /usr/lib64/libphonon.so.4 (0x00007fd51ba1c000)
        libkpty.so.4 => /usr/lib64/libkpty.so.4 (0x00007fd51b813000)
        libkfile.so.4 => /usr/lib64/libkfile.so.4 (0x00007fd51b569000)
        libSM.so.6 => /usr/lib64/libSM.so.6 (0x00007fd51b361000)
        libICE.so.6 => /usr/lib64/libICE.so.6 (0x00007fd51b146000)
        libX11.so.6 => /usr/lib64/libX11.so.6 (0x00007fd51ae0e000)
        libXext.so.6 => /usr/lib64/libXext.so.6 (0x00007fd51abfc000)
        libXft.so.2 => /usr/lib64/libXft.so.2 (0x00007fd51a9e8000)
        libXau.so.6 => /usr/lib64/libXau.so.6 (0x00007fd51a7e5000)
        libXdmcp.so.6 => /usr/lib64/libXdmcp.so.6 (0x00007fd51a5e0000)
        libXpm.so.4 => /usr/lib64/libXpm.so.4 (0x00007fd51a3cf000)
        libkutils.so.4 => /usr/lib64/libkutils.so.4 (0x00007fd51a1cd000)
        libkopete_videodevice.so.4 => /usr/lib64/libkopete_videodevice.so.4 (0x00007fd519fa8000)
        libXss.so.1 => /usr/lib64/libXss.so.1 (0x00007fd519da5000)
        libkemoticons.so.4 => /usr/lib64/libkemoticons.so.4 (0x00007fd519b95000)
        libkidletime.so.4 => /usr/lib64/libkidletime.so.4 (0x00007fd519986000)
        libkcmutils.so.4 => /usr/lib64/libkcmutils.so.4 (0x00007fd519746000)
        libkprintutils.so.4 => /usr/lib64/libkprintutils.so.4 (0x00007fd519540000)
        libQtSql.so.4 => /usr/lib64/qt/lib/libQtSql.so.4 (0x00007fd5192ff000)
        libz.so.1 => /usr/lib64/libz.so.1 (0x00007fd5190eb000)
        libstreamanalyzer.so.0 => /usr/lib64/libstreamanalyzer.so.0 (0x00007fd518e6e000)
        libstreams.so.0 => /usr/lib64/libstreams.so.0 (0x00007fd518c2f000)
        libacl.so.1 => /lib64/libacl.so.1 (0x00007fd518a28000)
        libattr.so.1 => /lib64/libattr.so.1 (0x00007fd518824000)
        libXrender.so.1 => /usr/lib64/libXrender.so.1 (0x00007fd51861b000)
        libsopranoclient.so.1 => /usr/lib64/libsopranoclient.so.1 (0x00007fd5183ce000)
        libdbusmenu-qt.so.2 => /usr/lib64/libdbusmenu-qt.so.2 (0x00007fd5181a8000)
        libXtst.so.6 => /usr/lib64/libXtst.so.6 (0x00007fd517fa2000)
        libXcursor.so.1 => /usr/lib64/libXcursor.so.1 (0x00007fd517d98000)
        libXfixes.so.3 => /usr/lib64/libXfixes.so.3 (0x00007fd517b93000)
        libbz2.so.1 => /lib64/libbz2.so.1 (0x00007fd517983000)
        liblzma.so.0 => /lib64/liblzma.so.0 (0x00007fd517763000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fd51754a000)
        libfam.so.0 => /usr/lib64/libfam.so.0 (0x00007fd517343000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007fd51713f000)
        libgthread-2.0.so.0 => /usr/lib64/libgthread-2.0.so.0 (0x00007fd516f3b000)
        librt.so.1 => /lib64/librt.so.1 (0x00007fd516d33000)
        libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00007fd516a53000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd521e5c000)
        libpng14.so.14 => /usr/lib64/libpng14.so.14 (0x00007fd51682e000)
        libfreetype.so.6 => /usr/lib64/libfreetype.so.6 (0x00007fd5165a8000)
        libgobject-2.0.so.0 => /usr/lib64/libgobject-2.0.so.0 (0x00007fd516365000)
        libEGL.so.1 => /usr/lib64/libEGL.so.1 (0x00007fd516156000)
        libfontconfig.so.1 => /usr/lib64/libfontconfig.so.1 (0x00007fd515f22000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00007fd515d1f000)
        libutempter.so.0 => /usr/lib64/libutempter.so.0 (0x00007fd515b1d000)
        libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fd51591a000)
        libxcb.so.1 => /usr/lib64/libxcb.so.1 (0x00007fd5156ff000)
        libv4l2.so.0 => /usr/lib64/libv4l2.so.0 (0x00007fd5154f4000)
        libxml2.so.2 => /usr/lib64/libxml2.so.2 (0x00007fd515197000)
        libXi.so.6 => /usr/lib64/libXi.so.6 (0x00007fd514f88000)
        libexpat.so.1 => /usr/lib64/libexpat.so.1 (0x00007fd514d65000)
        libv4lconvert.so.0 => /usr/lib64/libv4lconvert.so.0 (0x00007fd514af7000)

almenos mi kopete no.

get@Valhalla_pre:~$ ldd /usr/bin/kopete |grep purple
get@Valhalla_pre:~$

Get #6 Feb '11

UPDATE:

la cosa se complica, no solo se ve afectado adium o pidgin sino todos estos:
*sacado de http://developer.pidgin.im/wiki/WhatIsLibpurple
Who uses libpurple?

* Adium - A user-friendly graphical IM program for OS X.
* Apollo IM - IM application for the iPhone and iPod Touch.
* EQO - An IM program for mobile phones.
* Finch - A text-based IM program that works well in Linux and other Unixes.
* Instantbird - A graphical IM program based on Mozilla's XUL framework.
* Meebo - A web-based IM program.
* Palm - Maybe used in the messenger on the Palm Pre?
* Pidgin - A user-friendly graphical IM program for Windows, Linux and other Unixes.
* Telepathy-Haze - A connection manager for the Telepathy IM framework.
* Spectrum - Open source XMPP transport/gateway.

Vamos bien, hasta el chat de feisbu esta basado en libpurple.

2 respuestas

mTh #7 Feb '11 Frodo Bosón

#6

True, no se porque no me he acordado de ldd.

Hubiera sido más facil comprobar que no tengo instalado libpurple xD.

wiredfixer #8 Feb '11

Vale, segun yo, no tengo nada con esa libreria... pero de todos modos a actualizar se ha dicho.

RaymaN #9 Feb '11 Sureño

#6 la que se habría montado si el agujero fuese de WLM.

1 respuesta

gRaNaln0 #10 Feb '11

#3 get como te gusta meter la puntilla al ubuntu ehhhh xDDDDD

1 respuesta

Get #11 Feb '11

#9 cuanta razón, habrían 50mil exploits ya. Y seguro que hasta pasados unos días/semanas no sacan un fix.

#10 sep, pero por decir alguna, que tantas alabanzas se lleva ...

Actualizacion de Seguridad en Pidgin.

Usuarios habituales

Tags