Pidgin < 2.10.8 Multiple Vulnerabilities

critical Nessus Plugin ID 72282

Synopsis

An instant messaging client installed on the remote Windows host is affected by multiple vulnerabilities.

Description

The version of Pidgin installed on the remote host is a version prior to 2.10.8. It is, therefore, potentially affected by the following vulnerabilities :

- The bundled version of Pango has an error that can lead to an application crash when rendering fonts and attempting to display certain Unicode characters.

- Errors exist related to handling unspecified characters, incorrect character encoding, incorrect XMPP timestamps, hovering a pointer over a long URL, unspecified HTTP responses, Yahoo! P2P messages, STUN responses, and IRC arguments that could cause application crashes and denial of service conditions.
(CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6484, CVE-2014-0020)

- Errors exist related to handling MSN SOAP, MSN OIM, and MSN header content that could cause application crashes when NULL pointers are dereferenced.
(CVE-2013-6482)

- An error exists related XMPP content such that the 'from' portion of some 'iq' replies is not verified.
(CVE-2013-6483)

- Errors exist related to parsing chunked and Gadu-Gadu HTTP content, MXit emoticons, and SIMPLE headers that could allow buffer overflows.
(CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490)

- The application does not protect against links to untrusted executable content. (CVE-2013-6486)

Solution

Upgrade to Pidgin 2.10.8 or later.

See Also

https://bitbucket.org/pidgin/

http://www.pidgin.im/news/security/?id=69

http://www.pidgin.im/news/security/?id=70

http://www.pidgin.im/news/security/?id=71

http://www.pidgin.im/news/security/?id=72

http://www.pidgin.im/news/security/?id=73

http://www.pidgin.im/news/security/?id=74

http://www.pidgin.im/news/security/?id=75

http://www.pidgin.im/news/security/?id=76

http://www.pidgin.im/news/security/?id=77

http://www.pidgin.im/news/security/?id=78

http://www.pidgin.im/news/security/?id=79

http://www.pidgin.im/news/security/?id=80

http://www.pidgin.im/news/security/?id=81

http://www.pidgin.im/news/security/?id=82

http://www.pidgin.im/news/security/?id=83

http://www.pidgin.im/news/security/?id=84

http://www.pidgin.im/news/security/?id=85

Plugin Details

Severity: Critical

ID: 72282

File Name: pidgin_2_10_8.nasl

Version: 1.7

Type: local

Agent: windows

Family: Windows

Published: 2/4/2014

Updated: 11/26/2019

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2013-6490

Vulnerability Information

CPE: cpe:/a:pidgin:pidgin

Required KB Items: SMB/Pidgin/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 1/28/2014

Vulnerability Publication Date: 1/28/2014

Reference Information

CVE: CVE-2012-6152, CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6482, CVE-2013-6483, CVE-2013-6484, CVE-2013-6485, CVE-2013-6486, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490, CVE-2014-0020

BID: 65188, 65189, 65192, 65195, 65243, 65492