Detections
Analytics

Debian DSA-2859-1 : pidgin - several vulnerabilities

critical Nessus Plugin ID 72439

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client :

 - CVE-2013-6477 Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future.

 - CVE-2013-6478 Pidgin could be crashed through overly wide tooltip windows.

 - CVE-2013-6479 Jacob Appelbaum discovered that a malicious server or a 'man in the middle' could send a malformed HTTP header resulting in denial of service.

 - CVE-2013-6481 Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages.

 - CVE-2013-6482 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages.

 - CVE-2013-6483 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages.

 - CVE-2013-6484 It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash.

 - CVE-2013-6485 Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses.

 - CVE-2013-6487 Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages.

 - CVE-2013-6489 Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons.

 - CVE-2013-6490 Yves Younan discovered a buffer overflow when parsing SIMPLE headers.

 - CVE-2014-0020 Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments.

Solution

Upgrade the pidgin packages.

For the oldstable distribution (squeeze), no direct backport is provided. A fixed package will be provided through backports.debian.org shortly.

For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2013-6477

https://security-tracker.debian.org/tracker/CVE-2013-6478

https://security-tracker.debian.org/tracker/CVE-2013-6479

https://security-tracker.debian.org/tracker/CVE-2013-6481

https://security-tracker.debian.org/tracker/CVE-2013-6482

https://security-tracker.debian.org/tracker/CVE-2013-6483

https://security-tracker.debian.org/tracker/CVE-2013-6484

https://security-tracker.debian.org/tracker/CVE-2013-6485

https://security-tracker.debian.org/tracker/CVE-2013-6487

https://security-tracker.debian.org/tracker/CVE-2013-6489

https://security-tracker.debian.org/tracker/CVE-2013-6490

https://security-tracker.debian.org/tracker/CVE-2014-0020

https://packages.debian.org/source/wheezy/pidgin

https://www.debian.org/security/2014/dsa-2859

Plugin Details

Severity: Critical

ID: 72439

File Name: debian_DSA-2859.nasl

Version: 1.7

Type: local

Agent: unix

Published: 2/12/2014

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:pidgin, cpe:/o:debian:debian_linux:7.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2/10/2014

Reference Information

CVE: CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6482, CVE-2013-6483, CVE-2013-6484, CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490, CVE-2014-0020

BID: 65188, 65192, 65195, 65243

DSA: 2859