You are here

V-092: Pidgin Multiple Vulnerabilities

February 15, 2013 - 6:00am

Addthis

PROBLEM:

Multiple vulnerabilities have been reported in Pidgin

PLATFORM:

Vulnerabilities are reported in version 2.10.6. Prior versions may also be affected.

ABSTRACT:

Multiple vulnerabilities have been reported in Pidgin, which can be exploited by malicious people to manipulate certain data, cause a DoS (Denial of Service), and compromise a user's system.

REFERENCE LINKS:

Secunia Advisory SA52178 
Pidgin
CVE-2013-0271
CVE-2013-0272 
CVE-2013-0273 
CVE-2013-0274 

IMPACT ASSESSMENT:

High

DISCUSSION:

1) An error within the MXit protocol plugin when saving images can be exploited to overwrite certain files.

2) A boundary error within the "mxit_cb_http_read()" function (libpurple/protocols/mxit/http.c) when parsing incoming HTTP headers can be exploited to cause a stack-based buffer overflow via a specially crafted HTTP header.

3) An error within the "mw_prpl_normalize()" function (libpurple/protocols/sametime/sametime.c) when handling user ID longer than 4096 bytes can be exploited to cause a crash.

4) Some errors within the "upnp_parse_description_cb()", "purple_upnp_discover_send_broadcast()", "looked_up_public_ip_cb()", "looked_up_internal_ip_cb()", "purple_upnp_set_port_mapping()", and "purple_upnp_remove_port_mapping()" functions (libpurple/upnp.c) when handling UPnP requests can be exploited to cause crashes.

IMPACT:

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

SOLUTION:

Update to version 2.10.7.

Addthis