Pidgin < 2.10.8 Multiple Vulnerabilities

This script is Copyright (C) 2014 Tenable Network Security, Inc.

Synopsis :

An instant messaging client installed on the remote Windows host is
affected by multiple vulnerabilities.

Description :

The version of Pidgin installed on the remote host is a version prior
to 2.10.8. It is, therefore, potentially affected by the following
vulnerabilities :

- The bundled version of Pango has an error that can lead
to an application crash when rendering fonts and
attempting to display certain Unicode characters.

- Errors exist related to handling unspecified
characters, incorrect character encoding, incorrect
XMPP timestamps, hovering a pointer over a long URL,
unspecified HTTP responses, Yahoo! P2P messages, STUN
responses, and IRC arguments that could cause
application crashes and denial of service conditions.
(CVE-2012-6152, CVE-2013-6477, CVE-2013-6478,
CVE-2013-6479, CVE-2013-6481, CVE-2013-6484,

- Errors exist related to handling MSN SOAP, MSN OIM, and
MSN header content that could cause application
crashes when NULL pointers are dereferenced.

- An error exists related XMPP content such that the
'from' portion of some 'iq' replies is not verified.

- Errors exist related to parsing chunked and
Gadu-Gadu HTTP content, MXit emoticons, and
SIMPLE headers that could allow buffer overflows.
(CVE-2013-6485, CVE-2013-6487, CVE-2013-6489,

- The application does not protect against links to
untrusted executable content. (CVE-2013-6486)

See also :

Solution :

Upgrade to Pidgin 2.10.8 or later.

Risk factor :

High / CVSS Base Score : 9.3
CVSS Temporal Score : 8.1
Public Exploit Available : true