Executive Summary
Summary | |
---|---|
Title | pidgin security update |
Informations | |||
---|---|---|---|
Name | RHSA-2010:0044 | First vendor Publication | 2010-01-14 |
Vendor | RedHat | Last vendor Modification | 2010-01-14 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A directory traversal flaw was discovered in Pidgin's MSN protocol implementation. A remote attacker could send a specially-crafted emoticon image download request that would cause Pidgin to disclose an arbitrary file readable to the user running Pidgin. (CVE-2010-0013) These packages upgrade Pidgin to version 2.6.5. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 552483 - CVE-2010-0013 pidgin/libpurple: MSN custom smiley request directory traversal file disclosure |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2010-0044.html |
CAPEC : Common Attack Pattern Enumeration & Classification
Id | Name |
---|---|
CAPEC-23 | File System Function Injection, Content Based |
CAPEC-64 | Using Slashes and URL Encoding Combined to Bypass Validation Logic |
CAPEC-76 | Manipulating Input to File System Calls |
CAPEC-78 | Using Escaped Slashes in Alternate Encoding |
CAPEC-79 | Using Slashes in Alternate Encoding |
CAPEC-139 | Relative Path Traversal |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10333 | |||
Oval ID: | oval:org.mitre.oval:def:10333 | ||
Title: | Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. | ||
Description: | Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-0013 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:17620 | |||
Oval ID: | oval:org.mitre.oval:def:17620 | ||
Title: | Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon | ||
Description: | Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-0013 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows Server 2012 | Product(s): | Pidgin |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22173 | |||
Oval ID: | oval:org.mitre.oval:def:22173 | ||
Title: | RHSA-2010:0044: pidgin security update (Important) | ||
Description: | Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2010:0044-01 CESA-2010:0044 CVE-2010-0013 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | pidgin |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23006 | |||
Oval ID: | oval:org.mitre.oval:def:23006 | ||
Title: | ELSA-2010:0044: pidgin security update (Important) | ||
Description: | Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2010:0044-01 CVE-2010-0013 | Version: | 6 |
Platform(s): | Oracle Linux 5 | Product(s): | pidgin |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 1 | |
Os | 2 | |
Os | 6 | |
Os | 2 | |
Os | 1 | |
Os | 2 |
ExploitDB Exploits
id | Description |
---|---|
2010-01-19 | Pidgin MSN <= 2.6.4 File Download Vulnerability |
OpenVAS Exploits
Date | Description |
---|---|
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-11 (Pidgin) File : nvt/glsa_201206_11.nasl |
2011-08-09 | Name : CentOS Update for finch CESA-2010:0044 centos5 i386 File : nvt/gb_CESA-2010_0044_finch_centos5_i386.nasl |
2010-11-16 | Name : Fedora Update for pidgin FEDORA-2010-17130 File : nvt/gb_fedora_2010_17130_pidgin_fc12.nasl |
2010-08-02 | Name : Fedora Update for pidgin FEDORA-2010-11315 File : nvt/gb_fedora_2010_11315_pidgin_fc12.nasl |
2010-05-28 | Name : Fedora Update for pidgin FEDORA-2010-8524 File : nvt/gb_fedora_2010_8524_pidgin_fc12.nasl |
2010-05-28 | Name : Fedora Update for pidgin FEDORA-2010-8523 File : nvt/gb_fedora_2010_8523_pidgin_fc11.nasl |
2010-05-04 | Name : FreeBSD Ports: pidgin File : nvt/freebsd_pidgin1.nasl |
2010-04-30 | Name : Mandriva Update for pidgin MDVSA-2010:085 (pidgin) File : nvt/gb_mandriva_MDVSA_2010_085.nasl |
2010-03-02 | Name : Fedora Update for pidgin FEDORA-2010-0429 File : nvt/gb_fedora_2010_0429_pidgin_fc11.nasl |
2010-03-02 | Name : Fedora Update for pidgin FEDORA-2010-0368 File : nvt/gb_fedora_2010_0368_pidgin_fc12.nasl |
2010-03-02 | Name : Fedora Update for pidgin FEDORA-2010-1279 File : nvt/gb_fedora_2010_1279_pidgin_fc11.nasl |
2010-03-02 | Name : Fedora Update for pidgin FEDORA-2010-1383 File : nvt/gb_fedora_2010_1383_pidgin_fc12.nasl |
2010-03-02 | Name : Mandriva Update for dhcp MDVA-2010:085 (dhcp) File : nvt/gb_mandriva_MDVA_2010_085.nasl |
2010-01-20 | Name : Ubuntu Update for pidgin vulnerabilities USN-886-1 File : nvt/gb_ubuntu_USN_886_1.nasl |
2010-01-19 | Name : RedHat Update for pidgin RHSA-2010:0044-01 File : nvt/gb_RHSA-2010_0044-01_pidgin.nasl |
2010-01-19 | Name : CentOS Update for finch CESA-2010:0044 centos4 i386 File : nvt/gb_CESA-2010_0044_finch_centos4_i386.nasl |
2010-01-19 | Name : CentOS Update for finch CESA-2010:0044 centos4 x86_64 File : nvt/gb_CESA-2010_0044_finch_centos4_x86_64.nasl |
2010-01-16 | Name : Pidgin MSN Custom Smileys File Disclosure Vulnerability (Linux) File : nvt/gb_pidgin_msnslp_dir_trav_vuln_lin.nasl |
2010-01-16 | Name : Pidgin MSN Custom Smileys File Disclosure Vulnerability (Win) File : nvt/gb_pidgin_msnslp_dir_trav_vuln_win.nasl |
2010-01-15 | Name : Mandriva Update for pidgin MDVSA-2010:001 (pidgin) File : nvt/gb_mandriva_MDVSA_2010_001.nasl |
2010-01-15 | Name : Mandriva Update for pidgin MDVSA-2010:002 (pidgin) File : nvt/gb_mandriva_MDVSA_2010_002.nasl |
0000-00-00 | Name : Slackware Advisory SSA:2010-024-03 pidgin File : nvt/esoft_slk_ssa_2010_024_03.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
61421 | Adium MSN Custom Smileys Feature Emoticon Request Traversal Arbitrary File Di... |
61420 | Pidgin MSN Custom Smileys Feature Emoticon Request Traversal Arbitrary File D... |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0044.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20100114_pidgin_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-06-22 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-11.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_finch-6856.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_finch-6861.nasl - Type : ACT_GATHER_INFO |
2010-11-11 | Name : The remote Fedora host is missing a security update. File : fedora_2010-17130.nasl - Type : ACT_GATHER_INFO |
2010-08-02 | Name : The remote Fedora host is missing a security update. File : fedora_2010-11315.nasl - Type : ACT_GATHER_INFO |
2010-07-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-002.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-8524.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-8523.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1383.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-1279.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-0429.nasl - Type : ACT_GATHER_INFO |
2010-07-01 | Name : The remote Fedora host is missing a security update. File : fedora_2010-0368.nasl - Type : ACT_GATHER_INFO |
2010-04-29 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-085.nasl - Type : ACT_GATHER_INFO |
2010-03-04 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_finch-100219.nasl - Type : ACT_GATHER_INFO |
2010-03-04 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_finch-100219.nasl - Type : ACT_GATHER_INFO |
2010-03-04 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_finch-100219.nasl - Type : ACT_GATHER_INFO |
2010-03-03 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_finch-100219.nasl - Type : ACT_GATHER_INFO |
2010-01-25 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2010-024-03.nasl - Type : ACT_GATHER_INFO |
2010-01-19 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-886-1.nasl - Type : ACT_GATHER_INFO |
2010-01-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0044.nasl - Type : ACT_GATHER_INFO |
2010-01-15 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0044.nasl - Type : ACT_GATHER_INFO |
2010-01-12 | Name : An instant messaging client installed on the remote Windows host is affected ... File : pidgin_2_6_5.nasl - Type : ACT_GATHER_INFO |
2010-01-12 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-001.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:53:11 |
|