Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : pidgin vulnerabilities (USN-1500-1)

Ubuntu Security Notice (C) 2012-2013 Canonical, Inc. / NASL script (C) 2012-2013 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Evgeny Boger discovered that Pidgin incorrectly handled buddy list
messages in the AIM and ICQ protocol handlers. A remote attacker could
send a specially crafted message and cause Pidgin to crash, leading to
a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04
and 11.10. (CVE-2011-4601)

Thijs Alkemade discovered that Pidgin incorrectly handled malformed
voice and video chat requests in the XMPP protocol handler. A remote
attacker could send a specially crafted message and cause Pidgin to
crash, leading to a denial of service. This issue only affected Ubuntu
10.04 LTS, 11.04 and 11.10. (CVE-2011-4602)

Diego Bauche Madero discovered that Pidgin incorrectly handled UTF-8
sequences in the SILC protocol handler. A remote attacker could send a
specially crafted message and cause Pidgin to crash, leading to a
denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04
and 11.10. (CVE-2011-4603)

Julia Lawall discovered that Pidgin incorrectly cleared memory
contents used in cryptographic operations. An attacker could exploit
this to read the memory contents, leading to an information
disclosure. This issue only affected Ubuntu 10.04 LTS. (CVE-2011-4922)

Clemens Huebner and Kevin Stange discovered that Pidgin incorrectly
handled nickname changes inside chat rooms in the XMPP protocol
handler. A remote attacker could exploit this by changing nicknames,
leading to a denial of service. This issue only affected Ubuntu 11.10.
(CVE-2011-4939)

Thijs Alkemade discovered that Pidgin incorrectly handled off-line
instant messages in the MSN protocol handler. A remote attacker could
send a specially crafted message and cause Pidgin to crash, leading to
a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04
and 11.10. (CVE-2012-1178)

José Valentín Gutiérrez discovered that Pidgin incorrectly handled
SOCKS5 proxy connections during file transfer requests in the XMPP
protocol handler. A remote attacker could send a specially crafted
request and cause Pidgin to crash, leading to a denial of service.
This issue only affected Ubuntu 12.04 LTS and 11.10. (CVE-2012-2214)

Fabian Yamaguchi discovered that Pidgin incorrectly handled malformed
messages in the MSN protocol handler. A remote attacker could send a
specially crafted message and cause Pidgin to crash, leading to a
denial of service. (CVE-2012-2318)

Ulf Härnhammar discovered that Pidgin incorrectly handled messages
with in-line images in the MXit protocol handler. A remote attacker
could send a specially crafted message and possibly execute arbitrary
code with user privileges. (CVE-2012-3374).

Solution :

Update the affected finch, libpurple0 and / or pidgin packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false