Ubuntu Tutorials

We’ve got a load of security vulnerabilities to announce for Pidgin today. The patched packages should be available for download at most Ubuntu mirrors. I would advise that you update as soon as possible.

Details follow:

• It was discovered that Pidgin did not properly handle certain topic messages in the IRC protocol handler. If a user were tricked into connecting to a malicious IRC server, an attacker could cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703)
• It was discovered that Pidgin did not properly enforce the “require TLS/SSL” setting when connecting to certain older Jabber servers. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)
• It was discovered that Pidgin did not properly handle certain SLP invite messages in the MSN protocol handler. A remote attacker could send a specially crafted invite message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3083)
• It was discovered that Pidgin did not properly handle certain errors in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3085)
• It was discovered that Pidgin did not properly handle malformed contact-list data in the OSCAR protocol handler. A remote attacker could send specially crafted contact-list data and cause Pidgin to crash, leading to a denial of service. (CVE-2009-3615)
• It was discovered that Pidgin did not properly handle custom smiley requests in the MSN protocol handler. A remote attacker could send a specially crafted filename in a custom smiley request and obtain arbitrary files via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu 9.04 and Ubuntu 9.10. (CVE-2010-0013)

Pidgin for Ubuntu 8.04 LTS was also updated to fix connection issues with the MSN protocol.

USN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiple security vulnerabilities in Ubuntu 8.04 LTS. The security patches to fix CVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects the problem.

Original advisory details:

• It was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)
• It was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376)

To apply these fixes, please update your system as soon as possible. You can use the graphical Update Manager tool, or use the following two commands from the Terminal:

sudo aptitude update
sudo aptitude safe-upgrade


After a standard system upgrade you need to restart Pidgin to effect the necessary changes.

I’ll admit that, so far, I’m not a big fan of the 9.04 notification system. It does remind me a lot of OS X “Growl”, but the lack of customization options make it frustrating at times. I do hope that the developers continue to improve on the system as I think it could be a very nice tool given a little more attention.

In the meantime I have disabled Pidgin from using it. I don’t need every inbound IM and status change to be displayed for all to see.

Disable Pidgin Notifications

This “annoyance” can be easily fixed by disabling the libnotify plugin within the Pidgin plugins manager. To disable this system go to Tools > Plugins and untick the checkbox next to “Libnotify Popups”.

Also, if you’d prefer, you can try to customize the pop-up behavior by selecting the “Configure Plugin” button.

Hopefully being able to customize this or disable it altogether will make the new notification system livable until some improvements are made.

If your computer habits are anything like mine you probably have a set of applications that you use nearly every time you log in to the machine.  Let me guess.. Firefox?  Pidgin perhaps?  Thunderbird or Evolution?  You may have more or less, but it is common for a user to use the same applications regularly.  Wouldn’t it be nice if those commonly used applications could startup faster?  That is possible with a tool called “Preload”.

Installing Preload

The preload service is available through the main Ubuntu repositories, and can be installed by clicking the link below or running the command:

sudo aptitude install preload

A few things to note now about using Preload.  First, this will not improve boot time.  Preload monitors recurring applications and, after establishing a pattern, will preload those binaries into memory at startup.  Given that it also has to establish a pattern you may not see a performance increase immediately.  Give it some time though, you’ll start to see a difference soon enough!