Executive Summary

Summary
Titlepidgin security update
Informations
NameRHSA-2011:1820First vendor Publication2011-12-14
VendorRedHatLast vendor Modification2011-12-14
Severity (Vendor) ModerateRevision01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated pidgin packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64
RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Description:

Pidgin is an instant messaging program which can log in to multiple
accounts on multiple instant messaging networks simultaneously.

An input sanitization flaw was found in the way the AOL Open System for
Communication in Realtime (OSCAR) protocol plug-in in Pidgin, used by the
AOL ICQ and AIM instant messaging systems, escaped certain UTF-8
characters. A remote attacker could use this flaw to crash Pidgin via a
specially-crafted OSCAR message. (CVE-2011-4601)

An input sanitization flaw was found in the way the Pidgin SILC (Secure
Internet Live Conferencing) protocol plug-in escaped certain UTF-8
characters in channel messages. A remote attacker could use this flaw to
crash Pidgin via a specially-crafted SILC message. (CVE-2011-4603)

Multiple NULL pointer dereference flaws were found in the Jingle extension
of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in
in Pidgin. A remote attacker could use these flaws to crash Pidgin via a
specially-crafted Jingle multimedia message. (CVE-2011-4602)

Red Hat would like to thank the Pidgin project for reporting these issues.
Upstream acknowledges Evgeny Boger as the original reporter of
CVE-2011-4601; Diego Bauche Madero from IOActive as the original reporter
of CVE-2011-4603; and Thijs Alkemade as the original reporter of
CVE-2011-4602.

All Pidgin users should upgrade to these updated packages, which contain
backported patches to resolve these issues. Pidgin must be restarted for
this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

761510 - CVE-2011-4602 pidgin: Multiple NULL pointer deference flaws by processing certain Jingle stanzas in the XMPP protocol plug-in
761517 - CVE-2011-4601 pidgin (libpurple): Invalid UTF-8 string handling in OSCAR messages
766446 - CVE-2011-4603 pidgin: SILC remote crash on channel messages

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2011-1820.html

CWE : Common Weakness Enumeration

idName
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18408
 
Oval ID: oval:org.mitre.oval:def:18408
Title: family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted (1) AIM or (2) ICQ message associated with buddy-list addition
Description: family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted (1) AIM or (2) ICQ message associated with buddy-list addition.
Family: windows Class: vulnerability
Reference(s): CVE-2011-4601
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21879
 
Oval ID: oval:org.mitre.oval:def:21879
Title: RHSA-2011:1821: pidgin security update (Moderate)
Description: The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not properly handle missing fields in (1) voice-chat and (2) video-chat stanzas, which allows remote attackers to cause a denial of service (application crash) via a crafted message.
Family: unix Class: patch
Reference(s): RHSA-2011:1821-01
CESA-2011:1821
CVE-2011-4601
CVE-2011-4602
Version: 29
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18420
 
Oval ID: oval:org.mitre.oval:def:18420
Title: The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not properly handle missing fields in (1) voice-chat and (2) video-chat stanzas, which allows remote attackers to cause a denial of service (application crash) via a crafted message
Description: The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not properly handle missing fields in (1) voice-chat and (2) video-chat stanzas, which allows remote attackers to cause a denial of service (application crash) via a crafted message.
Family: windows Class: vulnerability
Reference(s): CVE-2011-4602
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23629
 
Oval ID: oval:org.mitre.oval:def:23629
Title: ELSA-2011:1821: pidgin security update (Moderate)
Description: The XMPP protocol plugin in libpurple in Pidgin before 2.10.1 does not properly handle missing fields in (1) voice-chat and (2) video-chat stanzas, which allows remote attackers to cause a denial of service (application crash) via a crafted message.
Family: unix Class: patch
Reference(s): ELSA-2011:1821-01
CVE-2011-4601
CVE-2011-4602
Version: 10
Platform(s): Oracle Linux 6
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21567
 
Oval ID: oval:org.mitre.oval:def:21567
Title: RHSA-2011:1820: pidgin security update (Moderate)
Description: The silc_channel_message function in ops.c in the SILC protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted message, a different vulnerability than CVE-2011-3594.
Family: unix Class: patch
Reference(s): RHSA-2011:1820-01
CESA-2011:1820
CVE-2011-4601
CVE-2011-4602
CVE-2011-4603
Version: 42
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18303
 
Oval ID: oval:org.mitre.oval:def:18303
Title: The silc_channel_message function in ops.c in the SILC protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted message, a different vulnerability than CVE-2011-3594
Description: The silc_channel_message function in ops.c in the SILC protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted message, a different vulnerability than CVE-2011-3594.
Family: windows Class: vulnerability
Reference(s): CVE-2011-4603
Version: 3
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 8
Microsoft Windows Server 2012
Product(s): Pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23420
 
Oval ID: oval:org.mitre.oval:def:23420
Title: ELSA-2011:1820: pidgin security update (Moderate)
Description: The silc_channel_message function in ops.c in the SILC protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted message, a different vulnerability than CVE-2011-3594.
Family: unix Class: patch
Reference(s): ELSA-2011:1820-01
CVE-2011-4601
CVE-2011-4602
CVE-2011-4603
Version: 14
Platform(s): Oracle Linux 4
Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application45

OpenVAS Exploits

DateDescription
2012-08-30Name : Fedora Update for pidgin FEDORA-2012-8669
File : nvt/gb_fedora_2012_8669_pidgin_fc15.nasl
2012-07-30Name : CentOS Update for finch CESA-2011:1820 centos4 x86_64
File : nvt/gb_CESA-2011_1820_finch_centos4_x86_64.nasl
2012-07-30Name : CentOS Update for finch CESA-2011:1820 centos5 x86_64
File : nvt/gb_CESA-2011_1820_finch_centos5_x86_64.nasl
2012-07-30Name : CentOS Update for finch CESA-2011:1821 centos6
File : nvt/gb_CESA-2011_1821_finch_centos6.nasl
2012-07-16Name : Fedora Update for pidgin FEDORA-2012-10294
File : nvt/gb_fedora_2012_10294_pidgin_fc16.nasl
2012-07-10Name : Ubuntu Update for pidgin USN-1500-1
File : nvt/gb_ubuntu_USN_1500_1.nasl
2012-07-09Name : RedHat Update for pidgin RHSA-2011:1821-01
File : nvt/gb_RHSA-2011_1821-01_pidgin.nasl
2012-06-11Name : Fedora Update for pidgin FEDORA-2012-8686
File : nvt/gb_fedora_2012_8686_pidgin_fc16.nasl
2012-04-02Name : Fedora Update for pidgin FEDORA-2011-17558
File : nvt/gb_fedora_2011_17558_pidgin_fc16.nasl
2012-04-02Name : Fedora Update for pidgin FEDORA-2012-4600
File : nvt/gb_fedora_2012_4600_pidgin_fc15.nasl
2012-03-26Name : Fedora Update for pidgin FEDORA-2012-4595
File : nvt/gb_fedora_2012_4595_pidgin_fc16.nasl
2012-01-09Name : Fedora Update for pidgin FEDORA-2011-17546
File : nvt/gb_fedora_2011_17546_pidgin_fc15.nasl
2011-12-21Name : Pidgin XMPP And SILC Protocols Denial of Service Vulnerabilities (Win)
File : nvt/secpod_pidgin_xmpp_and_silc_protocol_dos_vuln_win.nasl
2011-12-16Name : RedHat Update for pidgin RHSA-2011:1820-01
File : nvt/gb_RHSA-2011_1820-01_pidgin.nasl
2011-12-16Name : CentOS Update for finch CESA-2011:1820 centos4 i386
File : nvt/gb_CESA-2011_1820_finch_centos4_i386.nasl
2011-12-16Name : CentOS Update for finch CESA-2011:1820 centos5 i386
File : nvt/gb_CESA-2011_1820_finch_centos5_i386.nasl
2011-12-12Name : Mandriva Update for pidgin MDVSA-2011:183 (pidgin)
File : nvt/gb_mandriva_MDVSA_2011_183.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
77751Pidgin libpurple/protocols/silc/ops.c silc_channel_message() Function SILC Me...
77750Pidgin XMPP Protocol Missing Field Video / Voice Chat Stanza Remote DoS
77749Pidgin libpurple/protocols/oscar/family_feedbag.c Oscar Protocol Buddy Additi...

Nessus® Vulnerability Scanner

DateDescription
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-1820.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2011-1821.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20111214_pidgin_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20111214_pidgin_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-07-10Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1500-1.nasl - Type : ACT_GATHER_INFO
2012-01-10Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_finch-7901.nasl - Type : ACT_GATHER_INFO
2012-01-10Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_finch-111226.nasl - Type : ACT_GATHER_INFO
2012-01-09Name : The remote Fedora host is missing a security update.
File : fedora_2011-17546.nasl - Type : ACT_GATHER_INFO
2012-01-06Name : The remote Fedora host is missing a security update.
File : fedora_2011-17558.nasl - Type : ACT_GATHER_INFO
2011-12-23Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-1821.nasl - Type : ACT_GATHER_INFO
2011-12-15Name : An instant messaging client installed on the remote Windows host is potential...
File : pidgin_2_10_1.nasl - Type : ACT_GATHER_INFO
2011-12-15Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2011-1820.nasl - Type : ACT_GATHER_INFO
2011-12-15Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-1820.nasl - Type : ACT_GATHER_INFO
2011-12-15Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2011-1821.nasl - Type : ACT_GATHER_INFO
2011-12-12Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2011-183.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:55:26
  • Multiple Updates