Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Pidgin vulnerabilities
Informations
Name USN-2100-1 First vendor Publication 2014-02-06
Vendor Ubuntu Last vendor Modification 2014-02-06
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Pidgin.

Software Description: - pidgin: graphical multi-protocol instant messaging client for X

Details:

Thijs Alkemade and Robert Vehse discovered that Pidgin incorrectly handled the Yahoo! protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2012-6152)

Jaime Breva Ribes discovered that Pidgin incorrectly handled the XMPP protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6477)

It was discovered that Pidgin incorrecly handled long URLs. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6478)

Jacob Appelbaum discovered that Pidgin incorrectly handled certain HTTP responses. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6479)

Daniel Atallah discovered that Pidgin incorrectly handled the Yahoo! protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6481)

Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin incorrectly handled the MSN protocol. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6482)

Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin incorrectly handled XMPP iq replies. A remote attacker could use this issue to spoof messages. (CVE-2013-6483)

It was discovered that Pidgin incorrectly handled STUN server responses. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2013-6484)

Matt Jones discovered that Pidgin incorrectly handled certain chunked HTTP responses. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6485)

Yves Younan and Ryan Pentney discovered that Pidgin incorrectly handled certain Gadu-Gadu HTTP messages. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6487)

Yves Younan and Pawel Janic discovered that Pidgin incorrectly handled MXit emoticons. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6489)

Yves Younan discovered that Pidgin incorrectly handled SIMPLE headers. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2013-6490)

Daniel Atallah discovered that Pidgin incorrectly handled IRC argument parsing. A malicious remote server or a man in the middle could use this issue to cause Pidgin to crash, resulting in a denial of service. (CVE-2014-0020)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 13.10:
libpurple0 1:2.10.7-0ubuntu4.1.13.10.1
pidgin 1:2.10.7-0ubuntu4.1.13.10.1

Ubuntu 12.10:
libpurple0 1:2.10.6-0ubuntu2.3
pidgin 1:2.10.6-0ubuntu2.3

Ubuntu 12.04 LTS:
libpurple0 1:2.10.3-0ubuntu1.4
pidgin 1:2.10.3-0ubuntu1.4

After a standard system update you need to restart Pidgin to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2100-1
CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479,
CVE-2013-6481, CVE-2013-6482, CVE-2013-6483, CVE-2013-6484,
CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490,
CVE-2014-0020

Package Information:
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.7-0ubuntu4.1.13.10.1
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.6-0ubuntu2.3
https://launchpad.net/ubuntu/+source/pidgin/1:2.10.3-0ubuntu1.4

Original Source

Url : http://www.ubuntu.com/usn/USN-2100-1

CWE : Common Weakness Enumeration

% Id Name
46 % CWE-20 Improper Input Validation
23 % CWE-189 Numeric Errors (CWE/SANS Top 25)
23 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
8 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22203
 
Oval ID: oval:org.mitre.oval:def:22203
Title: RHSA-2014:0139: pidgin security update (Moderate)
Description: The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message.
Family: unix Class: patch
Reference(s): RHSA-2014:0139-00
CESA-2014:0139
CVE-2012-6152
CVE-2013-6477
CVE-2013-6478
CVE-2013-6479
CVE-2013-6481
CVE-2013-6482
CVE-2013-6483
CVE-2013-6484
CVE-2013-6485
CVE-2013-6487
CVE-2013-6489
CVE-2013-6490
CVE-2014-0020
Version: 111
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22226
 
Oval ID: oval:org.mitre.oval:def:22226
Title: DSA-2852-1 libgadu - heap-based buffer overflow
Description: Yves Younan and Ryan Pentney discovered that libgadu, a library for accessing the Gadu-Gadu instant messaging service, contained an integer overflow leading to a buffer overflow. Attackers which impersonate the server could crash clients and potentially execute arbitrary code.
Family: unix Class: patch
Reference(s): DSA-2852-1
CVE-2013-6487
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 7
Debian GNU/kFreeBSD 6.0
Product(s): libgadu
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22257
 
Oval ID: oval:org.mitre.oval:def:22257
Title: USN-2101-1 -- libgadu vulnerability
Description: libgadu could be made to crash or run programs if it received specially crafted network traffic.
Family: unix Class: patch
Reference(s): USN-2101-1
CVE-2013-6487
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Product(s): libgadu
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22474
 
Oval ID: oval:org.mitre.oval:def:22474
Title: DSA-2859-1 pidgin - several
Description: Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client.
Family: unix Class: patch
Reference(s): DSA-2859-1
CVE-2013-6477
CVE-2013-6478
CVE-2013-6479
CVE-2013-6481
CVE-2013-6482
CVE-2013-6483
CVE-2013-6484
CVE-2013-6485
CVE-2013-6487
CVE-2013-6489
CVE-2013-6490
CVE-2014-0020
Version: 5
Platform(s): Debian GNU/Linux 7
Debian GNU/kFreeBSD 7
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22557
 
Oval ID: oval:org.mitre.oval:def:22557
Title: USN-2100-1 -- pidgin vulnerabilities
Description: Several security issues were fixed in Pidgin.
Family: unix Class: patch
Reference(s): USN-2100-1
CVE-2012-6152
CVE-2013-6477
CVE-2013-6478
CVE-2013-6479
CVE-2013-6481
CVE-2013-6482
CVE-2013-6483
CVE-2013-6484
CVE-2013-6485
CVE-2013-6487
CVE-2013-6489
CVE-2013-6490
CVE-2014-0020
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22786
 
Oval ID: oval:org.mitre.oval:def:22786
Title: DEPRECATED: ELSA-2014:0139: pidgin security update (Moderate)
Description: The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message.
Family: unix Class: patch
Reference(s): ELSA-2014:0139-00
CVE-2012-6152
CVE-2013-6477
CVE-2013-6478
CVE-2013-6479
CVE-2013-6481
CVE-2013-6482
CVE-2013-6483
CVE-2013-6484
CVE-2013-6485
CVE-2013-6487
CVE-2013-6489
CVE-2013-6490
CVE-2014-0020
Version: 58
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24167
 
Oval ID: oval:org.mitre.oval:def:24167
Title: ELSA-2014:0139: pidgin security update (Moderate)
Description: The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message.
Family: unix Class: patch
Reference(s): ELSA-2014:0139-00
CVE-2012-6152
CVE-2013-6477
CVE-2013-6478
CVE-2013-6479
CVE-2013-6481
CVE-2013-6482
CVE-2013-6483
CVE-2013-6484
CVE-2013-6485
CVE-2013-6487
CVE-2013-6489
CVE-2013-6490
CVE-2014-0020
Version: 57
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24323
 
Oval ID: oval:org.mitre.oval:def:24323
Title: DSA-2859-2 pidgin - security update
Description: Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client.
Family: unix Class: patch
Reference(s): DSA-2859-2
CVE-2013-6477
CVE-2013-6478
CVE-2013-6479
CVE-2013-6481
CVE-2013-6482
CVE-2013-6483
CVE-2013-6484
CVE-2013-6485
CVE-2013-6487
CVE-2013-6489
CVE-2013-6490
CVE-2014-0020
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): pidgin
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25166
 
Oval ID: oval:org.mitre.oval:def:25166
Title: SUSE-SU-2014:0702-1 -- Security update for finch
Description: The pidgin Instant Messenger has been updated to fix various security issues: * CVE-2014-0020: Remotely triggerable crash in IRC argument parsing * CVE-2013-6490: Buffer overflow in SIMPLE header parsing * CVE-2013-6489: Buffer overflow in MXit emoticon parsing * CVE-2013-6487: Buffer overflow in Gadu-Gadu HTTP parsing * CVE-2013-6486: Pidgin uses clickable links to untrusted executables * CVE-2013-6485: Buffer overflow parsing chunked HTTP responses * CVE-2013-6484: Crash reading response from STUN server * CVE-2013-6483: XMPP doesn't verify 'from' on some iq replies * CVE-2013-6482: NULL pointer dereference parsing SOAP data in MSN * CVE-2013-6482: NULL pointer dereference parsing OIM data in MSN * CVE-2013-6482: NULL pointer dereference parsing headers in MSN * CVE-2013-6481: Remote crash reading Yahoo! P2P message * CVE-2013-6479: Remote crash parsing HTTP responses * CVE-2013-6478: Crash when hovering pointer over a long URL * CVE-2013-6477: Crash handling bad XMPP timestamp * CVE-2012-6152: Yahoo! remote crash from incorrect character encoding
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0702-1
CVE-2014-0020
CVE-2013-6490
CVE-2013-6489
CVE-2013-6487
CVE-2013-6486
CVE-2013-6485
CVE-2013-6484
CVE-2013-6483
CVE-2013-6482
CVE-2013-6481
CVE-2013-6479
CVE-2013-6478
CVE-2013-6477
CVE-2012-6152
Version: 3
Platform(s): SUSE Linux Enterprise Desktop 11
Product(s): finch
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25421
 
Oval ID: oval:org.mitre.oval:def:25421
Title: SUSE-SU-2014:0790-1 -- Security update for libgadu
Description: A memory corruption vulnerability has been fixed in libgadu. CVE-2013-6487 has been assigned to this issue.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0790-1
CVE-2013-6487
Version: 3
Platform(s): SUSE Linux Enterprise Desktop 11
Product(s): libgadu
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27284
 
Oval ID: oval:org.mitre.oval:def:27284
Title: DEPRECATED: ELSA-2014-0139 -- pidgin security update (moderate)
Description: [2.7.9-27.el6] - Fix regression in CVE-2013-6483.
Family: unix Class: patch
Reference(s): ELSA-2014-0139
CVE-2012-6152
CVE-2013-6477
CVE-2013-6478
CVE-2013-6479
CVE-2013-6481
CVE-2013-6482
CVE-2013-6483
CVE-2013-6484
CVE-2013-6485
CVE-2013-6487
CVE-2013-6489
CVE-2013-6490
CVE-2014-0020
Version: 4
Platform(s): Oracle Linux 6
Product(s): pidgin
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 66

Snort® IPS/IDS

Date Description
2014-01-10 Pidgin MXIT emoticon integer overflow attempt
RuleID : 28088 - Revision : 4 - Type : POLICY-SOCIAL

Nessus® Vulnerability Scanner

Date Description
2015-08-17 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201508-02.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_pidgin_20140731.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_libgadu-140521.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-400.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-132.nasl - Type : ACT_GATHER_INFO
2014-05-24 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_finch-140508.nasl - Type : ACT_GATHER_INFO
2014-05-19 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201405-22.nasl - Type : ACT_GATHER_INFO
2014-02-24 Name : The remote Fedora host is missing a security update.
File : fedora_2014-2341.nasl - Type : ACT_GATHER_INFO
2014-02-19 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-039.nasl - Type : ACT_GATHER_INFO
2014-02-17 Name : The remote Fedora host is missing a security update.
File : fedora_2014-1999.nasl - Type : ACT_GATHER_INFO
2014-02-17 Name : The remote Fedora host is missing a security update.
File : fedora_2014-2391.nasl - Type : ACT_GATHER_INFO
2014-02-12 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2859.nasl - Type : ACT_GATHER_INFO
2014-02-11 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2101-1.nasl - Type : ACT_GATHER_INFO
2014-02-07 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2100-1.nasl - Type : ACT_GATHER_INFO
2014-02-07 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2852.nasl - Type : ACT_GATHER_INFO
2014-02-06 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140205_pidgin_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-02-06 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0139.nasl - Type : ACT_GATHER_INFO
2014-02-06 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0139.nasl - Type : ACT_GATHER_INFO
2014-02-06 Name : The remote Fedora host is missing a security update.
File : fedora_2014-2013.nasl - Type : ACT_GATHER_INFO
2014-02-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0139.nasl - Type : ACT_GATHER_INFO
2014-02-04 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2014-034-01.nasl - Type : ACT_GATHER_INFO
2014-02-04 Name : An instant messaging client installed on the remote Windows host is affected ...
File : pidgin_2_10_8.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-02-17 12:03:05
  • Multiple Updates
2014-02-07 00:22:10
  • Multiple Updates
2014-02-06 21:24:35
  • Multiple Updates
2014-02-06 17:18:33
  • First insertion