The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding.

Changes in pidgin :

  - Fixing bnc#752275, CVE-2012-1178: Pidgin fails to verify     the text's utf-8 encoding

Various remote triggerable crashes in pidgin have been fixed :

  - In some situations the MSN server sends text that isn't     UTF-8 encoded, and Pidgin fails to verify the text's     encoding. In some cases this can lead to a crash when     attempting to display the text (). (CVE-2012-1178)

  - Incoming messages with certain characters or character     encodings can cause clients to crash. (CVE-2012-1178 /     CVE-2012-2318)

  - A series of specially crafted file transfer requests can     cause clients to reference invalid memory. The user must     have accepted one of the file transfer requests.
    (CVE-2012-2214)

Multiple vulnerabilities has been discovered and corrected in pidgin :

The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room (CVE-2011-4939).

The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding (CVE-2012-1178).

This update provides pidgin 2.10.2, which is not vulnerable to these issues.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

A flaw was found in the way the Pidgin MSN protocol plug-in processed text that was not encoded in UTF-8. A remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN message.
(CVE-2012-1178)

An input validation flaw was found in the way the Pidgin MSN protocol plug-in handled MSN notification messages. A malicious server or a remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN notification message. (CVE-2012-2318)

A buffer overflow flaw was found in the Pidgin MXit protocol plug-in.
A remote attacker could use this flaw to crash Pidgin by sending a MXit message containing specially crafted emoticon tags.
(CVE-2012-3374)

All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1102 advisory.

  - pidgin: Client abort in the MSN protocol plug-in by attempt to display certain, not UTF-8 encoded text     (CVE-2012-1178)

  - pidgin: Improper validation of incoming plaintext messages in MSN protocol plug-in (CVE-2012-2318)

  - pidgin: Stack-based buffer overwrite in MXit protocol libPurple plug-in (CVE-2012-3374)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

A flaw was found in the way the Pidgin MSN protocol plug-in processed text that was not encoded in UTF-8. A remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN message.
(CVE-2012-1178)

An input validation flaw was found in the way the Pidgin MSN protocol plug-in handled MSN notification messages. A malicious server or a remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN notification message. (CVE-2012-2318)

A buffer overflow flaw was found in the Pidgin MXit protocol plug-in.
A remote attacker could use this flaw to crash Pidgin by sending a MXit message containing specially crafted emoticon tags.
(CVE-2012-3374)

Red Hat would like to thank the Pidgin project for reporting the CVE-2012-3374 issue. Upstream acknowledges Ulf Harnhammar as the original reporter of CVE-2012-3374.

All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

Evgeny Boger discovered that Pidgin incorrectly handled buddy list messages in the AIM and ICQ protocol handlers. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4601)

Thijs Alkemade discovered that Pidgin incorrectly handled malformed voice and video chat requests in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4602)

Diego Bauche Madero discovered that Pidgin incorrectly handled UTF-8 sequences in the SILC protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4603)

Julia Lawall discovered that Pidgin incorrectly cleared memory contents used in cryptographic operations. An attacker could exploit this to read the memory contents, leading to an information disclosure. This issue only affected Ubuntu 10.04 LTS. (CVE-2011-4922)

Clemens Huebner and Kevin Stange discovered that Pidgin incorrectly handled nickname changes inside chat rooms in the XMPP protocol handler. A remote attacker could exploit this by changing nicknames, leading to a denial of service. This issue only affected Ubuntu 11.10.
(CVE-2011-4939)

Thijs Alkemade discovered that Pidgin incorrectly handled off-line instant messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2012-1178)

Jose Valentin Gutierrez discovered that Pidgin incorrectly handled SOCKS5 proxy connections during file transfer requests in the XMPP protocol handler. A remote attacker could send a specially crafted request and cause Pidgin to crash, leading to a denial of service.
This issue only affected Ubuntu 12.04 LTS and 11.10. (CVE-2012-2214)

Fabian Yamaguchi discovered that Pidgin incorrectly handled malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2012-2318)

Ulf Harnhammar discovered that Pidgin incorrectly handled messages with in-line images in the MXit protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2012-3374).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

US-CERT reports :

The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding.

The version of Pidgin installed on the remote host is earlier than 2.10.2 and is potentially affected by the following issues :

  - A denial of service vulnerability (NULL pointer     dereference) in the 'pidgin_conv_chat_rename_user'     function in 'gtkconv.c'. Remote attackers can trigger     the vulnerability by performing certain types of     nickname changes while in an XMPP chat room.     (CVE-2011-4939)

  - The msn_oim_report_to_user function in oim.c allows     remote servers to cause an application crash by     sending an OIM message without UTF-8 encoding.     (CVE-2012-1178)

ID	Name	Product	Family	Severity
74688	openSUSE Security Update : pidgin (openSUSE-SU-2012:0905-1)	Nessus	SuSE Local Security Checks	medium
64129	SuSE 11.1 Security Update : finch, libpurple and pidgin (SAT Patch Number 6294)	Nessus	SuSE Local Security Checks	medium
64128	SuSE 11.1 Security Update : finch, libpurple and pidgin (SAT Patch Number 6294)	Nessus	SuSE Local Security Checks	medium
61945	Mandriva Linux Security Advisory : pidgin (MDVSA-2012:029)	Nessus	Mandriva Local Security Checks	medium
61370	Scientific Linux Security Update : pidgin on SL5.x, SL6.x i386/x86_64 (20120719)	Nessus	Scientific Linux Local Security Checks	high
60076	RHEL 5 / 6 : pidgin (RHSA-2012:1102)	Nessus	Red Hat Local Security Checks	high
60067	CentOS 5 / 6 : pidgin (CESA-2012:1102)	Nessus	CentOS Local Security Checks	high
59903	Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : pidgin vulnerabilities (USN-1500-1)	Nessus	Ubuntu Local Security Checks	high
59682	SuSE 10 Security Update : finch, libpurple, and pidgin (ZYPP Patch Number 8131)	Nessus	SuSE Local Security Checks	medium
58556	FreeBSD : libpurple -- Remote DoS via an MSN OIM message that lacks UTF-8 encoding (7289214f-7c55-11e1-ab3b-000bcdf0a03b)	Nessus	FreeBSD Local Security Checks	medium
58410	Pidgin < 2.10.2 Multiple DoS	Nessus	Windows	medium

Detections

Analytics

CVE-2012-1178

high

Tenable Plugins

medium

medium

medium

medium

high

high

high

high

medium

medium

medium