Executive Summary
Summary | |
---|---|
Title | pidgin security update |
Informations | |||
---|---|---|---|
Name | RHSA-2010:0115 | First vendor Publication | 2010-02-18 |
Vendor | RedHat | Last vendor Modification | 2010-02-18 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially-crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML "br" element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) These packages upgrade Pidgin to version 2.6. |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2010-0115.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-399 | Resource Management Errors |
33 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11485 | |||
Oval ID: | oval:org.mitre.oval:def:11485 | ||
Title: | libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing br sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname. | ||
Description: | libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-0420 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:12923 | |||
Oval ID: | oval:org.mitre.oval:def:12923 | ||
Title: | USN-902-1 -- pidgin vulnerabilities | ||
Description: | Fabian Yamaguchi discovered that Pidgin incorrectly validated all fields of an incoming message in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. Sadrul Habib Chowdhury discovered that Pidgin incorrectly handled certain nicknames in Finch group chat rooms. A remote attacker could use a specially crafted nickname and cause Pidgin to crash, leading to a denial of service. Antti Hayrynen discovered that Pidgin incorrectly handled large numbers of smileys. A remote attacker could send a specially crafted message and cause Pidgin to become unresponsive, leading to a denial of service | ||
Family: | unix | Class: | patch |
Reference(s): | USN-902-1 CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 | Version: | 5 |
Platform(s): | Ubuntu 8.04 Ubuntu 8.10 Ubuntu 9.10 Ubuntu 9.04 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13098 | |||
Oval ID: | oval:org.mitre.oval:def:13098 | ||
Title: | DSA-2038-1 pidgin -- several | ||
Description: | Several remote vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0420 Crafted nicknames in the XMPP protocol can crash Pidgin remotely. CVE-2010-0423 Remote contacts may send too many custom smilies, crashing Pidgin. Since a few months, Microsoft's servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org. For the stable distribution, these problems have been fixed in version 2.4.3-4lenny6. For the unstable distribution, these problems have been fixed in version 2.6.6-1. We recommend that you upgrade your pidgin package. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2038-1 CVE-2010-0420 CVE-2010-0423 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13498 | |||
Oval ID: | oval:org.mitre.oval:def:13498 | ||
Title: | DSA-2038-2 pidgin -- several | ||
Description: | The packages for Pidgin released as DSA 2038-1 had a regression, as they unintentionally disabled the Zephyr instant messaging protocol. This update restores Zephyr functionality. For reference the original advisory text below. Several remote vulnerabilities have been discovered in Pidgin, a multi protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0420 Crafted nicknames in the XMPP protocol can crash Pidgin remotely. CVE-2010-0423 Remote contacts may send too many custom smilies, crashing Pidgin. Since a few months, Microsoft’s servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org. For the stable distribution, these problems have been fixed in version 2.4.3-4lenny7. For the unstable distribution, these problems have been fixed in version 2.6.6-1. We recommend that you upgrade your pidgin package. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2038-2 CVE-2010-0420 CVE-2010-0423 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13590 | |||
Oval ID: | oval:org.mitre.oval:def:13590 | ||
Title: | DSA-2038-3 pidgin -- several | ||
Description: | The packages for Pidgin released as DSA 2038-2 had a regression, as they unintentionally disabled the Silc, Simple, and Yahoo instant messaging protocols. This update restores that functionality. For reference the original advisory text below. Several remote vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0420 Crafted nicknames in the XMPP protocol can crash Pidgin remotely. CVE-2010-0423 Remote contacts may send too many custom smilies, crashing Pidgin. Since a few months, Microsoft’s servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org. For the stable distribution, these problems have been fixed in version 2.4.3-4lenny8. For the unstable distribution, these problems have been fixed in version 2.6.6-1. We recommend that you upgrade your pidgin package. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2038-3 CVE-2010-0420 CVE-2010-0423 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17554 | |||
Oval ID: | oval:org.mitre.oval:def:17554 | ||
Title: | gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat | ||
Description: | gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-0423 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18230 | |||
Oval ID: | oval:org.mitre.oval:def:18230 | ||
Title: | libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname | ||
Description: | libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-0420 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:18348 | |||
Oval ID: | oval:org.mitre.oval:def:18348 | ||
Title: | slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013 | ||
Description: | slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-0277 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:21886 | |||
Oval ID: | oval:org.mitre.oval:def:21886 | ||
Title: | RHSA-2010:0115: pidgin security update (Moderate) | ||
Description: | gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0115-01 CESA-2010:0115 CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22985 | |||
Oval ID: | oval:org.mitre.oval:def:22985 | ||
Title: | ELSA-2010:0115: pidgin security update (Moderate) | ||
Description: | gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0115-01 CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:6637 | |||
Oval ID: | oval:org.mitre.oval:def:6637 | ||
Title: | DSA-2038 pidgin -- several vulnerabilities | ||
Description: | Several remote vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems: Crafted nicknames in the XMPP protocol can crash Pidgin remotely. Remote contacts may send too many custom smilies, crashing Pidgin. Since a few months, Microsoft’s servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2038 CVE-2010-0420 CVE-2010-0423 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9421 | |||
Oval ID: | oval:org.mitre.oval:def:9421 | ||
Title: | slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013. | ||
Description: | slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-0277 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9842 | |||
Oval ID: | oval:org.mitre.oval:def:9842 | ||
Title: | gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. | ||
Description: | gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-0423 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for finch CESA-2010:0115 centos5 i386 File : nvt/gb_CESA-2010_0115_finch_centos5_i386.nasl |
2011-01-24 | Name : Debian Security Advisory DSA 2038-3 (pidgin) File : nvt/deb_2038_3.nasl |
2010-11-16 | Name : Fedora Update for pidgin FEDORA-2010-17130 File : nvt/gb_fedora_2010_17130_pidgin_fc12.nasl |
2010-08-02 | Name : Fedora Update for pidgin FEDORA-2010-11315 File : nvt/gb_fedora_2010_11315_pidgin_fc12.nasl |
2010-06-03 | Name : Debian Security Advisory DSA 2038-2 (pidgin) File : nvt/deb_2038_2.nasl |
2010-05-28 | Name : Fedora Update for pidgin FEDORA-2010-8524 File : nvt/gb_fedora_2010_8524_pidgin_fc12.nasl |
2010-05-28 | Name : Fedora Update for pidgin FEDORA-2010-8523 File : nvt/gb_fedora_2010_8523_pidgin_fc11.nasl |
2010-05-04 | Name : Debian Security Advisory DSA 2038-1 (pidgin) File : nvt/deb_2038_1.nasl |
2010-05-04 | Name : FreeBSD Ports: pidgin File : nvt/freebsd_pidgin1.nasl |
2010-04-30 | Name : Mandriva Update for pidgin MDVSA-2010:085 (pidgin) File : nvt/gb_mandriva_MDVSA_2010_085.nasl |
2010-03-02 | Name : Ubuntu Update for pidgin vulnerabilities USN-902-1 File : nvt/gb_ubuntu_USN_902_1.nasl |
2010-03-02 | Name : Mandriva Update for dhcp MDVA-2010:085 (dhcp) File : nvt/gb_mandriva_MDVA_2010_085.nasl |
2010-03-02 | Name : Fedora Update for pidgin FEDORA-2010-1383 File : nvt/gb_fedora_2010_1383_pidgin_fc12.nasl |
2010-03-02 | Name : Fedora Update for pidgin FEDORA-2010-1279 File : nvt/gb_fedora_2010_1279_pidgin_fc11.nasl |
2010-02-22 | Name : CentOS Update for finch CESA-2010:0115 centos4 i386 File : nvt/gb_CESA-2010_0115_finch_centos4_i386.nasl |
2010-02-19 | Name : RedHat Update for pidgin RHSA-2010:0115-01 File : nvt/gb_RHSA-2010_0115-01_pidgin.nasl |
2010-02-19 | Name : Mandriva Update for pidgin MDVSA-2010:041 (pidgin) File : nvt/gb_mandriva_MDVSA_2010_041.nasl |
2010-01-29 | Name : Mandriva Update for mjpegtools MDVA-2010:041 (mjpegtools) File : nvt/gb_mandriva_MDVA_2010_041.nasl |
2010-01-16 | Name : Pidgin MSN Protocol Plugin Denial Of Service Vulnerability (Linux) File : nvt/gb_pidgin_msnslp_dos_vuln_lin.nasl |
2010-01-16 | Name : Pidgin MSN Protocol Plugin Denial Of Service Vulnerability (Win) File : nvt/gb_pidgin_msnslp_dos_vuln_win.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2010-069-01 pidgin File : nvt/esoft_slk_ssa_2010_069_01.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
62440 | Pidgin gtkimhtml.c Excessive Smiley CPU Consumption Remote DoS |
62439 | Pidgin XMPP Multi-user Chat Room Malformed Nickname Remote DoS |
61626 | Adium libpurple MSN protocol plugin slp.c Unspecified Memory Corruption |
61625 | Pidgin libpurple MSN protocol plugin slp.c Unspecified Memory Corruption |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-12-28 | Name : The remote host is missing Sun Security Patch number 143318-03 File : solaris10_x86_143318.nasl - Type : ACT_GATHER_INFO |
2013-12-28 | Name : The remote host is missing Sun Security Patch number 143317-03 File : solaris10_143317.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0115.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100218_pidgin_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_finch-6856.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_finch-6861.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1934.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1383.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1279.nasl - Type : ACT_GATHER_INFO |
2010-04-29 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-085.nasl - Type : ACT_GATHER_INFO |
2010-04-21 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_a2c4d3d54c7b11df83fb0015587e2cc1.nasl - Type : ACT_GATHER_INFO |
2010-04-19 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2038.nasl - Type : ACT_GATHER_INFO |
2010-03-11 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2010-069-01.nasl - Type : ACT_GATHER_INFO |
2010-03-04 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_finch-100219.nasl - Type : ACT_GATHER_INFO |
2010-03-04 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_finch-100219.nasl - Type : ACT_GATHER_INFO |
2010-03-04 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_finch-100219.nasl - Type : ACT_GATHER_INFO |
2010-03-03 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_finch-100219.nasl - Type : ACT_GATHER_INFO |
2010-02-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-902-1.nasl - Type : ACT_GATHER_INFO |
2010-02-22 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0115.nasl - Type : ACT_GATHER_INFO |
2010-02-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0115.nasl - Type : ACT_GATHER_INFO |
2010-02-19 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-041.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:53:16 |
|