gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3185.

The remote Solaris system is missing necessary patches to address security updates :

  - The Yahoo! protocol plugin in libpurple in Pidgin before     2.10.8 does not properly validate UTF-8 data, which     allows remote attackers to cause a denial of service     (application crash) via crafted byte sequences.
    (CVE-2012-6152)

  - The MXit protocol plugin in libpurple in Pidgin before     2.10.7 might allow remote attackers to create or     overwrite files via a crafted (1) mxit or (2)     mxit/imagestrips pathname. (CVE-2013-0271)

  - Buffer overflow in http.c in the MXit protocol plugin in     libpurple in Pidgin before 2.10.7 allows remote servers     to execute arbitrary code via a long HTTP header.
    (CVE-2013-0272)

  - sametime.c in the Sametime protocol plugin in libpurple     in Pidgin before 2.10.7 does not properly terminate long     user IDs, which allows remote servers to cause a denial     of service (application crash) via a crafted packet.
    (CVE-2013-0273)

  - upnp.c in libpurple in Pidgin before 2.10.7 does not     properly terminate long strings in UPnP responses, which     allows remote attackers to cause a denial of service     (application crash) by leveraging access to the local     network. (CVE-2013-0274)

  - Multiple integer signedness errors in libpurple in     Pidgin before 2.10.8 allow remote attackers to cause a     denial of service (application crash) via a crafted     timestamp value in an XMPP message. (CVE-2013-6477)

  - gtkimhtml.c in Pidgin before 2.10.8 does not properly     interact with underlying library support for wide Pango     layouts, which allows user-assisted remote attackers to     cause a denial of service (application crash) via a long     URL that is examined with a tooltip. (CVE-2013-6478)

  - util.c in libpurple in Pidgin before 2.10.8 does not     properly allocate memory for HTTP responses that are     inconsistent with the Content-Length header, which     allows remote HTTP servers to cause a denial of service     (application crash) via a crafted response.
    (CVE-2013-6479)

  - libpurple/protocols/yahoo/libymsg.c in Pidgin before     2.10.8 allows remote attackers to cause a denial of     service (crash) via a Yahoo! P2P message with a crafted     length field, which triggers a buffer over-read.
    (CVE-2013-6481)

  - Pidgin before 2.10.8 allows remote MSN servers to cause     a denial of service (NULL pointer dereference and crash)     via a crafted (1) SOAP response, (2) OIM XML response,     or (3) Content-Length header. (CVE-2013-6482)

  - The XMPP protocol plugin in libpurple in Pidgin before     2.10.8 does not properly determine whether the from     address in an iq reply is consistent with the to address     in an iq request, which allows remote attackers to spoof     iq traffic or cause a denial of service (NULL pointer     dereference and application crash) via a crafted reply.
    (CVE-2013-6483)

  - The STUN protocol implementation in libpurple in Pidgin     before 2.10.8 allows remote STUN servers to cause a     denial of service (out-of-bounds write operation and     application crash) by triggering a socket read error.
    (CVE-2013-6484)

  - Buffer overflow in util.c in libpurple in Pidgin before     2.10.8 allows remote HTTP servers to cause a denial of     service (application crash) or possibly have unspecified     other impact via an invalid chunk-size field in chunked     transfer-coding data. (CVE-2013-6485)

  - gtkutils.c in Pidgin before 2.10.8 on Windows allows     user-assisted remote attackers to execute arbitrary     programs via a message containing a file: URL that is     improperly handled during construction of an     explorer.exe command. NOTE: this vulnerability exists     because of an incomplete fix for CVE-2011-3185.
    (CVE-2013-6486)

  - Integer overflow in libpurple/protocols/gg/lib/http.c in     the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows     remote attackers to have an unspecified impact via a     large Content-Length value, which triggers a buffer     overflow. (CVE-2013-6487)

  - Integer signedness error in the MXit functionality in     Pidgin before 2.10.8 allows remote attackers to cause a     denial of service (segmentation fault) via a crafted     emoticon value, which triggers an integer overflow and a     buffer overflow. (CVE-2013-6489)

  - The SIMPLE protocol functionality in Pidgin before     2.10.8 allows remote attackers to have an unspecified     impact via a negative Content-Length header, which     triggers a buffer overflow. (CVE-2013-6490)

  - The IRC protocol plugin in libpurple in Pidgin before     2.10.8 does not validate argument counts, which allows     remote IRC servers to cause a denial of service     (application crash) via a crafted message.
    (CVE-2014-0020)

- Update to version 2.10.8 (bnc#861019) :

  + General: Python build scripts and example plugins are     now compatible with Python 3 (pidgin.im#15624).

  + libpurple :

  - Fix potential crash if libpurple gets an error     attempting to read a reply from a STUN server     (CVE-2013-6484).

  - Fix potential crash parsing a malformed HTTP response     (CVE-2013-6479).

  - Fix buffer overflow when parsing a malformed HTTP     response with chunked Transfer-Encoding (CVE-2013-6485).

  - Better handling of HTTP proxy responses with negative     Content-Lengths.

  - Fix handling of SSL certificates without subjects when     using libnss.

  - Fix handling of SSL certificates with timestamps in the     distant future when using libnss (pidgin.im#15586).

  - Impose maximum download size for all HTTP fetches.

  + Pidgin :

  - Fix crash displaying tooltip of long URLs     (CVE-2013-6478).

  - Better handling of URLs longer than 1000 letters.

  - Fix handling of multibyte UTF-8 characters in smiley     themes (pidgin.im#15756).

  + AIM: Fix untrusted certificate error.

  + AIM and ICQ: Fix a possible crash when receiving a     malformed message in a Direct IM session.

  + Gadu-Gadu :

  - Fix buffer overflow with remote code execution     potential. Only triggerable by a Gadu-Gadu server or a     man-in-the-middle (CVE-2013-6487).

  - Disabled buddy list import/export from/to server.

  - Disabled new account registration and password change     options.

  + IRC :

  - Fix bug where a malicious server or man-in-the-middle     could trigger a crash by not sending enough arguments     with various messages (CVE-2014-0020).

  - Fix bug where initial IRC status would not be set     correctly.

  - Fix bug where IRC wasn't available when libpurple was     compiled with Cyrus SASL support (pidgin.im#15517).

  + MSN :

  - Fix NULL pointer dereference parsing headers in MSN     (CVE-2013-6482).

  - Fix NULL pointer dereference parsing OIM data in MSN     (CVE-2013-6482).

  - Fix NULL pointer dereference parsing SOAP data in MSN     (CVE-2013-6482).

  - Fix possible crash when sending very long messages. Not     remotely-triggerable.

  + MXit :

  - Fix buffer overflow with remote code execution potential     (CVE-2013-6487).

  - Fix sporadic crashes that can happen after user is     disconnected.

  - Fix crash when attempting to add a contact via search     results.

  - Show error message if file transfer fails.

  - Fix compiling with InstantBird.

  - Fix display of some custom emoticons.

  + SILC: Correctly set whiteboard dimensions in whiteboard     sessions.

  + SIMPLE: Fix buffer overflow with remote code execution     potential (CVE-2013-6487).

  + XMPP :

  - Prevent spoofing of iq replies by verifying that the     'from' address matches the 'to' address of the iq     request (CVE-2013-6483).

  - Fix crash on some systems when receiving fake delay     timestamps with extreme values (CVE-2013-6477).

  - Fix possible crash or other erratic behavior when     selecting a very small file for your own buddy icon.

  - Fix crash if the user tries to initiate a voice/video     session with a resourceless JID.

  - Fix login errors when the first two available auth     mechanisms fail but a subsequent mechanism would     otherwise work when using Cyrus SASL (pidgin.im#15524).

  - Fix dropping incoming stanzas on BOSH connections when     we receive multiple HTTP responses at once     (pidgin.im#15684).

  + Yahoo! :

  - Fix possible crashes handling incoming strings that are     not UTF-8 (CVE-2012-6152).

  - Fix a bug reading a peer to peer message where a remote     user could trigger a crash (CVE-2013-6481).

  + Plugins :

  - Fix crash in contact availability plugin.

  - Fix perl function Purple::Network::ip_atoi.

  - Add Unity integration plugin.

  + Windows specific fixes: (CVE-2013-6486, pidgin.im#15520,     pidgin.im#15521, bgo#668154).

  - Drop pidgin-irc-sasl.patch, fixed upstream.

  - Obsolete pidgin-facebookchat: the package is no longer     maintained and pidgin as built-in support for Facebook     Chat.

  - Protect buildrequires for mono-devel with with_mono     macro.

  - Add pidgin-gstreamer1.patch: Port to GStreamer 1.0. Only     enabled on openSUSE 13.1 and newer.

  - On openSUSE 13.1 and newer, use gstreamer-devel and     gstreamer-plugins-base-devel BuildRequires.

The pidgin Instant Messenger has been updated to fix various security issues :

  - Remotely triggerable crash in IRC argument parsing.
    (CVE-2014-0020)

  - Buffer overflow in SIMPLE header parsing.
    (CVE-2013-6490)

  - Buffer overflow in MXit emoticon parsing.
    (CVE-2013-6489)

  - Buffer overflow in Gadu-Gadu HTTP parsing.
    (CVE-2013-6487)

  - Pidgin uses clickable links to untrusted executables.
    (CVE-2013-6486)

  - Buffer overflow parsing chunked HTTP responses.
    (CVE-2013-6485)

  - Crash reading response from STUN server. (CVE-2013-6484)

  - XMPP doesn't verify 'from' on some iq replies.
    (CVE-2013-6483)

  - NULL pointer dereference parsing SOAP data in MSN.
    (CVE-2013-6482)

  - NULL pointer dereference parsing OIM data in MSN.
    (CVE-2013-6482)

  - NULL pointer dereference parsing headers in MSN.
    (CVE-2013-6482)

  - Remote crash reading Yahoo! P2P message. (CVE-2013-6481)

  - Remote crash parsing HTTP responses. (CVE-2013-6479)

  - Crash when hovering pointer over a long URL.
    (CVE-2013-6478)

  - Crash handling bad XMPP timestamp. (CVE-2013-6477)

  - Yahoo! remote crash from incorrect character encoding.
    (CVE-2012-6152)

The version of Pidgin installed on the remote host is a version prior to 2.10.8. It is, therefore, potentially affected by the following vulnerabilities :

  - The bundled version of Pango has an error that can lead     to an application crash when rendering fonts and     attempting to display certain Unicode characters. 

  - Errors exist related to handling unspecified     characters, incorrect character encoding, incorrect     XMPP timestamps, hovering a pointer over a long URL,     unspecified HTTP responses, Yahoo! P2P messages, STUN     responses, and IRC arguments that could cause     application crashes and denial of service conditions.
    (CVE-2012-6152, CVE-2013-6477, CVE-2013-6478,     CVE-2013-6479, CVE-2013-6481, CVE-2013-6484,     CVE-2014-0020)

  - Errors exist related to handling MSN SOAP, MSN OIM, and     MSN header content that could cause application     crashes when NULL pointers are dereferenced.
    (CVE-2013-6482)

  - An error exists related XMPP content such that the     'from' portion of some 'iq' replies is not verified.
    (CVE-2013-6483)

  - Errors exist related to parsing chunked and     Gadu-Gadu HTTP content, MXit emoticons, and     SIMPLE headers that could allow buffer overflows.
    (CVE-2013-6485, CVE-2013-6487, CVE-2013-6489,     CVE-2013-6490)

  - The application does not protect against links to     untrusted executable content. (CVE-2013-6486)

New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

ID	Name	Product	Family	Severity
80740	Oracle Solaris Third-Party Patch Update : pidgin (multiple_vulnerabilities_in_pidgin2)	Nessus	Solaris Local Security Checks	critical
75256	openSUSE Security Update : pidgin / pidgin-branding-openSUSE (openSUSE-SU-2014:0239-1)	Nessus	SuSE Local Security Checks	high
74173	SuSE 11.3 Security Update : finch (SAT Patch Number 9213)	Nessus	SuSE Local Security Checks	critical
72282	Pidgin < 2.10.8 Multiple Vulnerabilities	Nessus	Windows	critical
72265	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : pidgin (SSA:2014-034-01)	Nessus	Slackware Local Security Checks	critical

Detections

Analytics

CVE-2013-6486

high

Tenable Plugins

critical

high

critical

critical

critical