The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname.

The remote Solaris system is missing necessary patches to address security updates :

  - The Yahoo! protocol plugin in libpurple in Pidgin before     2.10.8 does not properly validate UTF-8 data, which     allows remote attackers to cause a denial of service     (application crash) via crafted byte sequences.
    (CVE-2012-6152)

  - The MXit protocol plugin in libpurple in Pidgin before     2.10.7 might allow remote attackers to create or     overwrite files via a crafted (1) mxit or (2)     mxit/imagestrips pathname. (CVE-2013-0271)

  - Buffer overflow in http.c in the MXit protocol plugin in     libpurple in Pidgin before 2.10.7 allows remote servers     to execute arbitrary code via a long HTTP header.
    (CVE-2013-0272)

  - sametime.c in the Sametime protocol plugin in libpurple     in Pidgin before 2.10.7 does not properly terminate long     user IDs, which allows remote servers to cause a denial     of service (application crash) via a crafted packet.
    (CVE-2013-0273)

  - upnp.c in libpurple in Pidgin before 2.10.7 does not     properly terminate long strings in UPnP responses, which     allows remote attackers to cause a denial of service     (application crash) by leveraging access to the local     network. (CVE-2013-0274)

  - Multiple integer signedness errors in libpurple in     Pidgin before 2.10.8 allow remote attackers to cause a     denial of service (application crash) via a crafted     timestamp value in an XMPP message. (CVE-2013-6477)

  - gtkimhtml.c in Pidgin before 2.10.8 does not properly     interact with underlying library support for wide Pango     layouts, which allows user-assisted remote attackers to     cause a denial of service (application crash) via a long     URL that is examined with a tooltip. (CVE-2013-6478)

  - util.c in libpurple in Pidgin before 2.10.8 does not     properly allocate memory for HTTP responses that are     inconsistent with the Content-Length header, which     allows remote HTTP servers to cause a denial of service     (application crash) via a crafted response.
    (CVE-2013-6479)

  - libpurple/protocols/yahoo/libymsg.c in Pidgin before     2.10.8 allows remote attackers to cause a denial of     service (crash) via a Yahoo! P2P message with a crafted     length field, which triggers a buffer over-read.
    (CVE-2013-6481)

  - Pidgin before 2.10.8 allows remote MSN servers to cause     a denial of service (NULL pointer dereference and crash)     via a crafted (1) SOAP response, (2) OIM XML response,     or (3) Content-Length header. (CVE-2013-6482)

  - The XMPP protocol plugin in libpurple in Pidgin before     2.10.8 does not properly determine whether the from     address in an iq reply is consistent with the to address     in an iq request, which allows remote attackers to spoof     iq traffic or cause a denial of service (NULL pointer     dereference and application crash) via a crafted reply.
    (CVE-2013-6483)

  - The STUN protocol implementation in libpurple in Pidgin     before 2.10.8 allows remote STUN servers to cause a     denial of service (out-of-bounds write operation and     application crash) by triggering a socket read error.
    (CVE-2013-6484)

  - Buffer overflow in util.c in libpurple in Pidgin before     2.10.8 allows remote HTTP servers to cause a denial of     service (application crash) or possibly have unspecified     other impact via an invalid chunk-size field in chunked     transfer-coding data. (CVE-2013-6485)

  - gtkutils.c in Pidgin before 2.10.8 on Windows allows     user-assisted remote attackers to execute arbitrary     programs via a message containing a file: URL that is     improperly handled during construction of an     explorer.exe command. NOTE: this vulnerability exists     because of an incomplete fix for CVE-2011-3185.
    (CVE-2013-6486)

  - Integer overflow in libpurple/protocols/gg/lib/http.c in     the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows     remote attackers to have an unspecified impact via a     large Content-Length value, which triggers a buffer     overflow. (CVE-2013-6487)

  - Integer signedness error in the MXit functionality in     Pidgin before 2.10.8 allows remote attackers to cause a     denial of service (segmentation fault) via a crafted     emoticon value, which triggers an integer overflow and a     buffer overflow. (CVE-2013-6489)

  - The SIMPLE protocol functionality in Pidgin before     2.10.8 allows remote attackers to have an unspecified     impact via a negative Content-Length header, which     triggers a buffer overflow. (CVE-2013-6490)

  - The IRC protocol plugin in libpurple in Pidgin before     2.10.8 does not validate argument counts, which allows     remote IRC servers to cause a denial of service     (application crash) via a crafted message.
    (CVE-2014-0020)

Pidgin was updated to 2.10.7 to fix various security issues and the bug that IRC did not work at all in 12.3.

Changes :

  - Add pidgin-irc-sasl.patch: link irc module to SASL.
    Allows the IRC module to be loaded (bnc#806975).

  - Update to version 2.10.7 (bnc#804742) :

  + Alien hatchery :

  - No changes

  + General :

  - The configure script will now exit with status 1 when     specifying invalid protocol plugins using the

    --with-static-prpls and --with-dynamic-prpls arguments.
    (pidgin.im#15316)

  + libpurple :

  - Fix a crash when receiving UPnP responses with     abnormally long values. (CVE-2013-0274)

  - Don't link directly to libgcrypt when building with     GnuTLS support. (pidgin.im#15329)

  - Fix UPnP mappings on routers that return empty     <URLBase/> elements in their response. (pidgin.im#15373)

  - Tcl plugin uses saner, race-free plugin loading.

  - Fix the Tcl signals-test plugin for savedstatus-changed.
    (pidgin.im#15443)

  + Pidgin :

  - Make Pidgin more friendly to non-X11 GTK+, such as     MacPorts' +no_x11 variant.

  + Gadu-Gadu :

  - Fix a crash at startup with large contact list. Avatar     support for buddies will be disabled until 3.0.0.
    (pidgin.im#15226, pidgin.im#14305)

  + IRC :

  - Support for SASL authentication. (pidgin.im#13270)

  - Print topic setter information at channel join.
    (pidgin.im#13317)

  + MSN :

  - Fix SSL certificate issue when signing into MSN for some     users.

  - Fix a crash when removing a user before its icon is     loaded. (pidgin.im#15217)

  + MXit :

  - Fix a bug where a remote MXit user could possibly     specify a local file path to be written to.
    (CVE-2013-0271)

  - Fix a bug where the MXit server or a man-in-the-middle     could potentially send specially crafted data that could     overflow a buffer and lead to a crash or remote code     execution. (CVE-2013-0272)

  - Display farewell messages in a different colour to     distinguish them from normal messages.

  - Add support for typing notification.

  - Add support for the Relationship Status profile     attribute.

  - Remove all reference to Hidden Number.

  - Ignore new invites to join a GroupChat if you're already     joined, or still have a pending invite.

  - The buddy's name was not centered vertically in the     buddy-list if they did not have a status-message or mood     set.

  - Fix decoding of font-size changes in the markup of     received messages.

  - Increase the maximum file size that can be transferred     to 1 MB.

  - When setting an avatar image, no longer downscale it to     96x96.

  + Sametime :

  - Fix a crash in Sametime when a malicious server sends us     an abnormally long user ID. (CVE-2013-0273)

  + Yahoo! :

  - Fix a double-free in profile/picture loading code.
    (pidgin.im#15053)

  - Fix retrieving server-side buddy aliases.
    (pidgin.im#15381)

  + Plugins :

  - The Voice/Video Settings plugin supports using the sndio     GStreamer backends. (pidgin.im#14414)

  - Fix a crash in the Contact Availability Detection     plugin. (pidgin.im#15327)

  - Make the Message Notification plugin more friendly to     non-X11 GTK+, such as MacPorts' +no_x11 variant.

  + Windows-Specific Changes :

  - Compile with secure flags (pidgin.im#15290)

  - Installer downloads GTK+ Runtime and Debug Symbols more     securely. (pidgin.im#15277)

  - Updates to a number of dependencies, some of which have     security related fixes. (pidgin.im#14571,     pidgin.im#15285, pidgin.im#15286) . ATK 1.32.0-2 . Cyrus     SASL 2.1.25 . expat 2.1.0-1 . freetype 2.4.10-1 .
    gettext 0.18.1.1-2 . Glib 2.28.8-1 . libpng 1.4.12-1 .
    libxml2 2.9.0-1 . NSS 3.13.6 and NSPR 4.9.2 . Pango     1.29.4-1 . SILC 1.1.10 . zlib 1.2.5-2

  - Patch libmeanwhile (sametime library) to fix crash.
    (pidgin.im#12637)

pidgin was updated to fix security issues :

  - Fix a crash when receiving UPnP responses with     abnormally long values. (CVE-2013-0274)

  - Fix a crash in Sametime when a malicious server sends us     an abnormally long user ID. (CVE-2013-0273)

  - Fix a bug where the MXit server or a man-in-the-middle     could potentially send specially crafted data that could     overflow a buffer and lead to a crash or remote code     execution.(CVE-2013-0272)

  - Fix a bug where a remote MXit user could possibly     specify a local file path to be written to.
    (CVE-2013-0271)

The remote host is affected by the vulnerability described in GLSA-201405-22 (Pidgin: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Pidgin. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the Pidgin process, cause a Denial of Service condition,       overwrite files, or spoof traffic.
  Workaround :

    There is no known workaround at this time.

Pidgin reports :

libpurple

Fix a crash when receiving UPnP responses with abnormally long values.

MXit

Fix two bugs where a remote MXit user could possibly specify a local file path to be written to.

Fix a bug where the MXit server or a man-in-the-middle could potentially send specially crafted data that could overflow a buffer and lead to a crash or remote code execution.

Sametime

Fix a crash in Sametime when a malicious server sends us an abnormally long user ID.

pidgin was updated to fix 4 security issues :

  - Fixed a crash when receiving UPnP responses with     abnormally long values. (CVE-2013-0274, bnc#804742)

  - Fixed a crash in Sametime protocol when a malicious     server sends us an abnormally long user ID.
    (CVE-2013-0273, bnc#804742)

  - Fixed a bug where the MXit server or a man-in-the-middle     could potentially send specially crafted data that could     overflow a buffer and lead to a crash or remote code     execution. (CVE-2013-0272, bnc#804742)

  - Fixed a bug where a remote MXit user could possibly     specify a local file path to be written to.
    (CVE-2013-0271, bnc#804742)

Chris Wysopal discovered that Pidgin incorrectly handled file transfers in the MXit protocol handler. A remote attacker could use this issue to create or overwrite arbitrary files. This issue only affected Ubuntu 11.10, Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2013-0271)

It was discovered that Pidgin incorrectly handled long HTTP headers in the MXit protocol handler. A malicious remote server could use this issue to execute arbitrary code. (CVE-2013-0272)

It was discovered that Pidgin incorrectly handled long user IDs in the Sametime protocol handler. A malicious remote server could use this issue to cause Pidgin to crash, resulting in a denial of service.
(CVE-2013-0273)

It was discovered that Pidgin incorrectly handled long strings when processing UPnP responses. A remote attacker could use this issue to cause Pidgin to crash, resulting in a denial of service.
(CVE-2013-0274).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Pidgin installed on the remote host is earlier than 2.10.7.  It is, therefore, potentially affected by the following vulnerabilities :

  - An error exists related to the 'MXit' plugin and     the saving of images that could allow arbitrary files     to be overwritten. (CVE-2013-0271)

  - A stack-based buffer overflow  exists in the function     'mxit_cb_http_read' in the file     'libpurple/protocols/mxit/http.c' that could allow     arbitrary code execution when handling certain HTTP     headers. (CVE-2013-0272)

  - An error exists in the function 'mw_prpl_normalize' in     the file 'libpurple/protocols/sametime/sametime.c' that     could allow denial of service attacks when handling     user IDs longer than 4096 bytes. (CVE-2013-0273)

  - Errors exist in the functions     'upnp_parse_description_cb',     'purple_upnp_discover_send_broadcast',     'looked_up_public_ip_cb', 'looked_up_internal_ip_cb',     'purple_upnp_set_port_mapping', and     'purple_upnp_remove_port_mapping' in the file     'libpurple/upnp.c' that could allow denial of service     attacks when handling certain UPnP response messages.
    (CVE-2013-0274)

New pidgin packages are available for Slackware 12.2, 13.0, 13.1, 13.37, 14.0, and -current to fix security issues.

ID	Name	Product	Family	Severity
80740	Oracle Solaris Third-Party Patch Update : pidgin (multiple_vulnerabilities_in_pidgin2)	Nessus	Solaris Local Security Checks	critical
74934	openSUSE Security Update : pidgin (openSUSE-SU-2013:0511-1)	Nessus	SuSE Local Security Checks	medium
74915	openSUSE Security Update : pidgin (openSUSE-SU-2013:0405-1)	Nessus	SuSE Local Security Checks	medium
74064	GLSA-201405-22 : Pidgin: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
65184	FreeBSD : libpurple -- multiple vulnerabilities (549787c1-8916-11e2-8549-68b599b52a02)	Nessus	FreeBSD Local Security Checks	medium
65026	SuSE 10 Security Update : pidgin (ZYPP Patch Number 8475)	Nessus	SuSE Local Security Checks	medium
65024	SuSE 11.2 Security Update : pidgin (SAT Patch Number 7429)	Nessus	SuSE Local Security Checks	medium
64890	Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : pidgin vulnerabilities (USN-1746-1)	Nessus	Ubuntu Local Security Checks	medium
64670	Pidgin < 2.10.7 Multiple Vulnerabilities	Nessus	Windows	medium
64622	Slackware 12.2 / 13.0 / 13.1 / 13.37 / 14.0 / current : pidgin (SSA:2013-044-01)	Nessus	Slackware Local Security Checks	medium

Detections

Analytics

CVE-2013-0271

high

Tenable Plugins

critical

medium

medium

critical

medium

medium

medium

medium

medium

medium