Executive Summary
| Informations | |||
|---|---|---|---|
| Name | MDVSA-2011:132 | First vendor Publication | 2011-09-06 |
| Vendor | Mandriva | Last vendor Modification | 2011-09-06 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 4.3 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Medium |
| Cvss Expoit Score | 8.6 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Multiple vulnerabilities has been identified and fixed in pidgin: It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Using this structure, possibly containing a huge width and height, could lead to the application being terminated due to excessive memory use (CVE-2011-2485). Certain characters in the nicknames of IRC users can trigger a null pointer dereference in the IRC protocol plugin's handling of responses to WHO requests. This can cause a crash on some operating systems. Clients based on libpurple 2.8.0 through 2.9.0 are affected (CVE-2011-2943). Incorrect handling of HTTP 100 responses in the MSN protocol plugin can cause the application to attempt to access memory that it does not have access to. This only affects users who have turned on the HTTP connection method for their accounts (it's off by default). This might only be triggerable by a malicious server and not a malicious peer. We believe remote code execution is not possible (CVE-2011-3184). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=490 This update provides pidgin 2.10.0, which is not vulnerable to these issues. |
Original Source
| Url : http://www.mandriva.com/security/advisories?name=MDVSA-2011:132 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-399 | Resource Management Errors |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:18005 | |||
| Oval ID: | oval:org.mitre.oval:def:18005 | ||
| Title: | The irc_msg_who function in msgs.c in the IRC protocol plugin in libpurple 2.8.0 through 2.9.0 in Pidgin before 2.10.0 does not properly validate characters in nicknames, which allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted nickname that is not properly handled in a WHO response | ||
| Description: | The irc_msg_who function in msgs.c in the IRC protocol plugin in libpurple 2.8.0 through 2.9.0 in Pidgin before 2.10.0 does not properly validate characters in nicknames, which allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted nickname that is not properly handled in a WHO response. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2011-2943 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:18284 | |||
| Oval ID: | oval:org.mitre.oval:def:18284 | ||
| Title: | The msn_httpconn_parse_data function in httpconn.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.0 does not properly handle HTTP 100 responses, which allows remote attackers to cause a denial of service (incorrect memory access and application crash) via vectors involving a crafted server message | ||
| Description: | The msn_httpconn_parse_data function in httpconn.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.0 does not properly handle HTTP 100 responses, which allows remote attackers to cause a denial of service (incorrect memory access and application crash) via vectors involving a crafted server message. | ||
| Family: | windows | Class: | vulnerability |
| Reference(s): | CVE-2011-3184 | Version: | 3 |
| Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2012-09-10 | Name : Slackware Advisory SSA:2011-178-01 pidgin File : nvt/esoft_slk_ssa_2011_178_01.nasl |
| 2012-08-30 | Name : Fedora Update for pidgin FEDORA-2012-8669 File : nvt/gb_fedora_2012_8669_pidgin_fc15.nasl |
| 2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-11 (Pidgin) File : nvt/glsa_201206_11.nasl |
| 2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-20 (gdk-pixbuf) File : nvt/glsa_201206_20.nasl |
| 2012-04-02 | Name : Fedora Update for pidgin FEDORA-2012-4600 File : nvt/gb_fedora_2012_4600_pidgin_fc15.nasl |
| 2012-01-09 | Name : Fedora Update for pidgin FEDORA-2011-17546 File : nvt/gb_fedora_2011_17546_pidgin_fc15.nasl |
| 2011-11-25 | Name : Ubuntu Update for pidgin USN-1273-1 File : nvt/gb_ubuntu_USN_1273_1.nasl |
| 2011-09-12 | Name : Fedora Update for pidgin FEDORA-2011-11595 File : nvt/gb_fedora_2011_11595_pidgin_fc14.nasl |
| 2011-09-12 | Name : Mandriva Update for pidgin MDVSA-2011:132 (pidgin) File : nvt/gb_mandriva_MDVSA_2011_132.nasl |
| 2011-09-09 | Name : Pidgin Libpurple Protocol Plugins Denial of Service Vulnerabilities (Win) File : nvt/gb_pidgin_libpurple_protocol_plugins_dos_vuln_win.nasl |
| 2011-09-07 | Name : Fedora Update for pidgin FEDORA-2011-11544 File : nvt/gb_fedora_2011_11544_pidgin_fc15.nasl |
| 2011-08-19 | Name : Fedora Update for gdk-pixbuf2 FEDORA-2011-8667 File : nvt/gb_fedora_2011_8667_gdk-pixbuf2_fc14.nasl |
| 2011-07-18 | Name : Fedora Update for pidgin FEDORA-2011-8917 File : nvt/gb_fedora_2011_8917_pidgin_fc14.nasl |
| 2011-07-12 | Name : Fedora Update for gdk-pixbuf2 FEDORA-2011-8672 File : nvt/gb_fedora_2011_8672_gdk-pixbuf2_fc15.nasl |
| 2011-07-12 | Name : Fedora Update for pidgin FEDORA-2011-8966 File : nvt/gb_fedora_2011_8966_pidgin_fc15.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 74826 | Pidgin libpurple MSN Protocol Plugin httpconn.c msn_httpconn_parse_data Funct... |
| 74825 | Pidgin libpurple IRC Protocol Plugin msgs.c irc_msg_who Function WHO Response... |
| 73333 | gdk-pixbuf gdk_pixbuf__gif_image_load() Buddy Icon GIF Handling DoS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gdk-pixbuf-120531.nasl - Type : ACT_GATHER_INFO |
| 2013-01-25 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gtk2-120605.nasl - Type : ACT_GATHER_INFO |
| 2012-07-06 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_gdk-pixbuf-8158.nasl - Type : ACT_GATHER_INFO |
| 2012-07-06 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_gtk2-8174.nasl - Type : ACT_GATHER_INFO |
| 2012-06-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-20.nasl - Type : ACT_GATHER_INFO |
| 2012-06-22 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-11.nasl - Type : ACT_GATHER_INFO |
| 2011-11-22 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1273-1.nasl - Type : ACT_GATHER_INFO |
| 2011-09-07 | Name : The remote Fedora host is missing a security update. File : fedora_2011-11595.nasl - Type : ACT_GATHER_INFO |
| 2011-09-07 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-132.nasl - Type : ACT_GATHER_INFO |
| 2011-08-31 | Name : The remote Fedora host is missing a security update. File : fedora_2011-11544.nasl - Type : ACT_GATHER_INFO |
| 2011-08-22 | Name : An instant messaging client installed on the remote Windows host has multiple... File : pidgin_2_10_0.nasl - Type : ACT_GATHER_INFO |
| 2011-08-17 | Name : The remote Fedora host is missing a security update. File : fedora_2011-8667.nasl - Type : ACT_GATHER_INFO |
| 2011-07-28 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2011-178-01.nasl - Type : ACT_GATHER_INFO |
| 2011-06-27 | Name : The remote Fedora host is missing a security update. File : fedora_2011-8672.nasl - Type : ACT_GATHER_INFO |
| 2011-06-27 | Name : An instant messaging client installed on the remote Windows host is affected ... File : pidgin_2_9_0.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:42:24 |
|
