Executive Summary
Summary | |
---|---|
Title | Pidgin: Multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-201405-22 | First vendor Publication | 2014-05-18 |
Vendor | Gentoo | Last vendor Modification | 2014-05-18 |
Severity (Vendor) | High | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Multiple vulnerabilities in Pidgin may allow execution of arbitrary code. Background Description Impact Workaround Resolution All Pidgin users on ALPHA, PPC, PPC64, SPARC, and users of GNOME before References Availability |
Original Source
Url : http://security.gentoo.org/glsa/glsa-201405-22.xml |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
43 % | CWE-20 | Improper Input Validation |
29 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
21 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
7 % | CWE-399 | Resource Management Errors |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17474 | |||
Oval ID: | oval:org.mitre.oval:def:17474 | ||
Title: | Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header | ||
Description: | Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-0272 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18221 | |||
Oval ID: | oval:org.mitre.oval:def:18221 | ||
Title: | upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network | ||
Description: | upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-0274 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18291 | |||
Oval ID: | oval:org.mitre.oval:def:18291 | ||
Title: | USN-1746-1 -- pidgin vulnerabilities | ||
Description: | Several security issues were fixed in Pidgin. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1746-1 CVE-2013-0271 CVE-2013-0272 CVE-2013-0273 CVE-2013-0274 | Version: | 5 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18340 | |||
Oval ID: | oval:org.mitre.oval:def:18340 | ||
Title: | sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet | ||
Description: | sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-0273 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18386 | |||
Oval ID: | oval:org.mitre.oval:def:18386 | ||
Title: | The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname | ||
Description: | The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2013-0271 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22226 | |||
Oval ID: | oval:org.mitre.oval:def:22226 | ||
Title: | DSA-2852-1 libgadu - heap-based buffer overflow | ||
Description: | Yves Younan and Ryan Pentney discovered that libgadu, a library for accessing the Gadu-Gadu instant messaging service, contained an integer overflow leading to a buffer overflow. Attackers which impersonate the server could crash clients and potentially execute arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2852-1 CVE-2013-6487 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 7 Debian GNU/kFreeBSD 6.0 | Product(s): | libgadu |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22257 | |||
Oval ID: | oval:org.mitre.oval:def:22257 | ||
Title: | USN-2101-1 -- libgadu vulnerability | ||
Description: | libgadu could be made to crash or run programs if it received specially crafted network traffic. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2101-1 CVE-2013-6487 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | libgadu |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22474 | |||
Oval ID: | oval:org.mitre.oval:def:22474 | ||
Title: | DSA-2859-1 pidgin - several | ||
Description: | Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2859-1 CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22557 | |||
Oval ID: | oval:org.mitre.oval:def:22557 | ||
Title: | USN-2100-1 -- pidgin vulnerabilities | ||
Description: | Several security issues were fixed in Pidgin. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2100-1 CVE-2012-6152 CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24323 | |||
Oval ID: | oval:org.mitre.oval:def:24323 | ||
Title: | DSA-2859-2 pidgin - security update | ||
Description: | Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2859-2 CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020 | Version: | 5 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25166 | |||
Oval ID: | oval:org.mitre.oval:def:25166 | ||
Title: | SUSE-SU-2014:0702-1 -- Security update for finch | ||
Description: | The pidgin Instant Messenger has been updated to fix various security issues: * CVE-2014-0020: Remotely triggerable crash in IRC argument parsing * CVE-2013-6490: Buffer overflow in SIMPLE header parsing * CVE-2013-6489: Buffer overflow in MXit emoticon parsing * CVE-2013-6487: Buffer overflow in Gadu-Gadu HTTP parsing * CVE-2013-6486: Pidgin uses clickable links to untrusted executables * CVE-2013-6485: Buffer overflow parsing chunked HTTP responses * CVE-2013-6484: Crash reading response from STUN server * CVE-2013-6483: XMPP doesn't verify 'from' on some iq replies * CVE-2013-6482: NULL pointer dereference parsing SOAP data in MSN * CVE-2013-6482: NULL pointer dereference parsing OIM data in MSN * CVE-2013-6482: NULL pointer dereference parsing headers in MSN * CVE-2013-6481: Remote crash reading Yahoo! P2P message * CVE-2013-6479: Remote crash parsing HTTP responses * CVE-2013-6478: Crash when hovering pointer over a long URL * CVE-2013-6477: Crash handling bad XMPP timestamp * CVE-2012-6152: Yahoo! remote crash from incorrect character encoding | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0702-1 CVE-2014-0020 CVE-2013-6490 CVE-2013-6489 CVE-2013-6487 CVE-2013-6486 CVE-2013-6485 CVE-2013-6484 CVE-2013-6483 CVE-2013-6482 CVE-2013-6481 CVE-2013-6479 CVE-2013-6478 CVE-2013-6477 CVE-2012-6152 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Desktop 11 | Product(s): | finch |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25421 | |||
Oval ID: | oval:org.mitre.oval:def:25421 | ||
Title: | SUSE-SU-2014:0790-1 -- Security update for libgadu | ||
Description: | A memory corruption vulnerability has been fixed in libgadu. CVE-2013-6487 has been assigned to this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0790-1 CVE-2013-6487 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Desktop 11 | Product(s): | libgadu |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25961 | |||
Oval ID: | oval:org.mitre.oval:def:25961 | ||
Title: | SUSE-SU-2013:0388-1 -- Security update for pidgin | ||
Description: | idgin was updated to fix 4 security issues: * Fixed a crash when receiving UPnP responses with abnormally long values. (CVE-2013-0274, bnc#804742) * Fixed a crash in Sametime protocol when a malicious server sends us an abnormally long user ID. (CVE-2013-0273, bnc#804742) * Fixed a bug where the MXit server or a man-in-the-middle could potentially send specially crafted data that could overflow a buffer and lead to a crash or remote code execution.(CVE-2013-0272, bnc#804742) * Fixed a bug where a remote MXit user could possibly specify a local file path to be written to. (CVE-2013-0271, bnc#804742) | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0388-1 CVE-2013-0274 CVE-2013-0273 CVE-2013-0272 CVE-2013-0271 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Desktop 11 SUSE Linux Enterprise Desktop 10 | Product(s): | pidgin |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Pidgin MXIT emoticon integer overflow attempt RuleID : 28088 - Revision : 4 - Type : POLICY-SOCIAL |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-08-17 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201508-02.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_pidgin_20140731.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-177.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-231.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-132.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-400.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote SuSE 11 host is missing a security update. File : suse_11_libgadu-140521.nasl - Type : ACT_GATHER_INFO |
2014-05-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_finch-140508.nasl - Type : ACT_GATHER_INFO |
2014-05-19 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201405-22.nasl - Type : ACT_GATHER_INFO |
2014-02-24 | Name : The remote Fedora host is missing a security update. File : fedora_2014-2341.nasl - Type : ACT_GATHER_INFO |
2014-02-19 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-039.nasl - Type : ACT_GATHER_INFO |
2014-02-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-2391.nasl - Type : ACT_GATHER_INFO |
2014-02-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-1999.nasl - Type : ACT_GATHER_INFO |
2014-02-12 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2859.nasl - Type : ACT_GATHER_INFO |
2014-02-11 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2101-1.nasl - Type : ACT_GATHER_INFO |
2014-02-07 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2852.nasl - Type : ACT_GATHER_INFO |
2014-02-07 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2100-1.nasl - Type : ACT_GATHER_INFO |
2014-02-06 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140205_pidgin_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-02-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0139.nasl - Type : ACT_GATHER_INFO |
2014-02-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0139.nasl - Type : ACT_GATHER_INFO |
2014-02-06 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0139.nasl - Type : ACT_GATHER_INFO |
2014-02-06 | Name : The remote Fedora host is missing a security update. File : fedora_2014-2013.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-034-01.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : An instant messaging client installed on the remote Windows host is affected ... File : pidgin_2_10_8.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0646.nasl - Type : ACT_GATHER_INFO |
2013-03-15 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130314_pidgin_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-03-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0646.nasl - Type : ACT_GATHER_INFO |
2013-03-15 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0646.nasl - Type : ACT_GATHER_INFO |
2013-03-11 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_549787c1891611e2854968b599b52a02.nasl - Type : ACT_GATHER_INFO |
2013-03-05 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_finch-8475.nasl - Type : ACT_GATHER_INFO |
2013-03-05 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_finch-130227.nasl - Type : ACT_GATHER_INFO |
2013-02-26 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1746-1.nasl - Type : ACT_GATHER_INFO |
2013-02-18 | Name : An instant messaging client installed on the remote Windows host is affected ... File : pidgin_2_10_7.nasl - Type : ACT_GATHER_INFO |
2013-02-14 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-044-01.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-05-20 13:23:31 |
|
2014-05-18 21:21:17 |
|