Pidgin < 2.10.8 Multiple Vulnerabilities

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

An instant messaging client installed on the remote Windows host is
affected by multiple vulnerabilities.

Description :

The version of Pidgin installed on the remote host is a version prior
to 2.10.8. It is, therefore, potentially affected by the following
vulnerabilities :

- The bundled version of Pango has an error that can lead
to an application crash when rendering fonts and
attempting to display certain Unicode characters.

- Errors exist related to handling unspecified
characters, incorrect character encoding, incorrect
XMPP timestamps, hovering a pointer over a long URL,
unspecified HTTP responses, Yahoo! P2P messages, STUN
responses, and IRC arguments that could cause
application crashes and denial of service conditions.
(CVE-2012-6152, CVE-2013-6477, CVE-2013-6478,
CVE-2013-6479, CVE-2013-6481, CVE-2013-6484,
CVE-2014-0020)

- Errors exist related to handling MSN SOAP, MSN OIM, and
MSN header content that could cause application
crashes when NULL pointers are dereferenced.
(CVE-2013-6482)

- An error exists related XMPP content such that the
'from' portion of some 'iq' replies is not verified.
(CVE-2013-6483)

- Errors exist related to parsing chunked and
Gadu-Gadu HTTP content, MXit emoticons, and
SIMPLE headers that could allow buffer overflows.
(CVE-2013-6485, CVE-2013-6487, CVE-2013-6489,
CVE-2013-6490)

- The application does not protect against links to
untrusted executable content. (CVE-2013-6486)

See also :

http://hg.pidgin.im/pidgin/main/rev/5010e6877abc
http://www.pidgin.im/news/security/?id=69
http://www.pidgin.im/news/security/?id=70
http://www.pidgin.im/news/security/?id=71
http://www.pidgin.im/news/security/?id=72
http://www.pidgin.im/news/security/?id=73
http://www.pidgin.im/news/security/?id=74
http://www.pidgin.im/news/security/?id=75
http://www.pidgin.im/news/security/?id=76
http://www.pidgin.im/news/security/?id=77
http://www.pidgin.im/news/security/?id=78
http://www.pidgin.im/news/security/?id=79
http://www.pidgin.im/news/security/?id=80
http://www.pidgin.im/news/security/?id=81
http://www.pidgin.im/news/security/?id=82
http://www.pidgin.im/news/security/?id=83
http://www.pidgin.im/news/security/?id=84
http://www.pidgin.im/news/security/?id=85

Solution :

Upgrade to Pidgin 2.10.8 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.1
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true