family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted (1) AIM or (2) ICQ message associated with buddy-list addition.

Remote users could crash pidgin via ICQ, SILC, XMPP and Yahoo protocols (CVE-2011-4601, CVE-2011-4603, CVE-2011-4602, CVE-2011-1091).

pidgin was updated to version 2.10.1

  + AIM and ICQ :

  - Fix remotely-triggerable crashes by validating strings     in a few messages related to buddy list management     (bnc#736147, CVE-2011-4601).

  + Bonjour :

  - IPv6 fixes

  + Gadu-Gadu :

  - Fix problems linking against GnuTLS.

  + IRC :

  - Fix a memory leak when admitting UTF-8 text with a     non-UTF-8 primary encoding.

  + Jabber :

  - Fix crashes and memory leaks when receiving malformed     voice and video requests.

  + Sametime :

  - Separate 'username' and 'server' when adding new     Sametime accounts.

  - Fix compilation in Visual C++.

  + SILC :

  - Fix CVE-2011-3594, by UTF-8 validating incoming messages     before passing them to glib or libpurple.

  + Yahoo! :

  - Fetch buddy icons in some cases where we previously     weren't.

From Red Hat Security Advisory 2011:1821 :

Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

An input sanitization flaw was found in the way the AOL Open System for Communication in Realtime (OSCAR) protocol plug-in in Pidgin, used by the AOL ICQ and AIM instant messaging systems, escaped certain UTF-8 characters. A remote attacker could use this flaw to crash Pidgin via a specially crafted OSCAR message. (CVE-2011-4601)

Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker could use these flaws to crash Pidgin via a specially crafted Jingle multimedia message.
(CVE-2011-4602)

Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Evgeny Boger as the original reporter of CVE-2011-4601, and Thijs Alkemade as the original reporter of CVE-2011-4602.

All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

From Red Hat Security Advisory 2011:1820 :

Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

An input sanitization flaw was found in the way the AOL Open System for Communication in Realtime (OSCAR) protocol plug-in in Pidgin, used by the AOL ICQ and AIM instant messaging systems, escaped certain UTF-8 characters. A remote attacker could use this flaw to crash Pidgin via a specially crafted OSCAR message. (CVE-2011-4601)

An input sanitization flaw was found in the way the Pidgin SILC (Secure Internet Live Conferencing) protocol plug-in escaped certain UTF-8 characters in channel messages. A remote attacker could use this flaw to crash Pidgin via a specially crafted SILC message.
(CVE-2011-4603)

Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker could use these flaws to crash Pidgin via a specially crafted Jingle multimedia message.
(CVE-2011-4602)

Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Evgeny Boger as the original reporter of CVE-2011-4601; Diego Bauche Madero from IOActive as the original reporter of CVE-2011-4603; and Thijs Alkemade as the original reporter of CVE-2011-4602.

All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

An input sanitization flaw was found in the way the AOL Open System for Communication in Realtime (OSCAR) protocol plug-in in Pidgin, used by the AOL ICQ and AIM instant messaging systems, escaped certain UTF-8 characters. A remote attacker could use this flaw to crash Pidgin via a specially crafted OSCAR message. (CVE-2011-4601)

Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker could use these flaws to crash Pidgin via a specially crafted Jingle multimedia message.
(CVE-2011-4602)

All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

An input sanitization flaw was found in the way the AOL Open System for Communication in Realtime (OSCAR) protocol plug-in in Pidgin, used by the AOL ICQ and AIM instant messaging systems, escaped certain UTF-8 characters. A remote attacker could use this flaw to crash Pidgin via a specially crafted OSCAR message. (CVE-2011-4601)

An input sanitization flaw was found in the way the Pidgin SILC (Secure Internet Live Conferencing) protocol plug-in escaped certain UTF-8 characters in channel messages. A remote attacker could use this flaw to crash Pidgin via a specially crafted SILC message.
(CVE-2011-4603)

Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker could use these flaws to crash Pidgin via a specially crafted Jingle multimedia message.
(CVE-2011-4602)

All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

Evgeny Boger discovered that Pidgin incorrectly handled buddy list messages in the AIM and ICQ protocol handlers. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4601)

Thijs Alkemade discovered that Pidgin incorrectly handled malformed voice and video chat requests in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4602)

Diego Bauche Madero discovered that Pidgin incorrectly handled UTF-8 sequences in the SILC protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4603)

Julia Lawall discovered that Pidgin incorrectly cleared memory contents used in cryptographic operations. An attacker could exploit this to read the memory contents, leading to an information disclosure. This issue only affected Ubuntu 10.04 LTS. (CVE-2011-4922)

Clemens Huebner and Kevin Stange discovered that Pidgin incorrectly handled nickname changes inside chat rooms in the XMPP protocol handler. A remote attacker could exploit this by changing nicknames, leading to a denial of service. This issue only affected Ubuntu 11.10.
(CVE-2011-4939)

Thijs Alkemade discovered that Pidgin incorrectly handled off-line instant messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2012-1178)

Jose Valentin Gutierrez discovered that Pidgin incorrectly handled SOCKS5 proxy connections during file transfer requests in the XMPP protocol handler. A remote attacker could send a specially crafted request and cause Pidgin to crash, leading to a denial of service.
This issue only affected Ubuntu 12.04 LTS and 11.10. (CVE-2012-2214)

Fabian Yamaguchi discovered that Pidgin incorrectly handled malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2012-2318)

Ulf Harnhammar discovered that Pidgin incorrectly handled messages with in-line images in the MXit protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2012-3374).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Remote users could have crashed crash pidgin via ICQ, SILC, XMPP and Yahoo protocols (CVE-2011-4601 / CVE-2011-4603 / CVE-2011-4602 / CVE-2011-1091). This has been fixed.

Remote users could have crashed pidgin via ICQ, SILC, XMPP and Yahoo protocols (CVE-2011-4601 / CVE-2011-4603 / CVE-2011-4602 / CVE-2011-1091). This has been fixed.

New release 2.10.1

Full Upstream ChangeLog :

http://developer.pidgin.im/wiki/ChangeLog

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

An input sanitization flaw was found in the way the AOL Open System for Communication in Realtime (OSCAR) protocol plug-in in Pidgin, used by the AOL ICQ and AIM instant messaging systems, escaped certain UTF-8 characters. A remote attacker could use this flaw to crash Pidgin via a specially crafted OSCAR message. (CVE-2011-4601)

Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker could use these flaws to crash Pidgin via a specially crafted Jingle multimedia message.
(CVE-2011-4602)

Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Evgeny Boger as the original reporter of CVE-2011-4601, and Thijs Alkemade as the original reporter of CVE-2011-4602.

All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

The version of Pidgin installed on the remote host is earlier than 2.10.1 and is potentially affected by the following issues :

  - A failure to validate input during the processing of     UTF-8 SILC protocol messages can cause the application     to crash. (CVE-2011-3594, CVE-2011-4603)

  - A failure to validate input during the processing of     UTF-8 Oscar protocol buddy authorization request and     response messages can cause the application to crash.
    (CVE-2011-4601)

  - An error exists in the validation of voice and chat     messages in the XMPP protocol that can cause the     application to crash. (CVE-2011-4602)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:1821 advisory.

  - pidgin (libpurple): Invalid UTF-8 string handling in OSCAR messages (CVE-2011-4601)

  - pidgin: Multiple NULL pointer deference flaws by processing certain Jingle stanzas in the XMPP protocol     plug-in (CVE-2011-4602)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 4 / 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:1820 advisory.

  - pidgin (libpurple): Invalid UTF-8 string handling in OSCAR messages (CVE-2011-4601)

  - pidgin: Multiple NULL pointer deference flaws by processing certain Jingle stanzas in the XMPP protocol     plug-in (CVE-2011-4602)

  - pidgin: SILC remote crash on channel messages (CVE-2011-4603)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated pidgin packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

An input sanitization flaw was found in the way the AOL Open System for Communication in Realtime (OSCAR) protocol plug-in in Pidgin, used by the AOL ICQ and AIM instant messaging systems, escaped certain UTF-8 characters. A remote attacker could use this flaw to crash Pidgin via a specially crafted OSCAR message. (CVE-2011-4601)

An input sanitization flaw was found in the way the Pidgin SILC (Secure Internet Live Conferencing) protocol plug-in escaped certain UTF-8 characters in channel messages. A remote attacker could use this flaw to crash Pidgin via a specially crafted SILC message.
(CVE-2011-4603)

Multiple NULL pointer dereference flaws were found in the Jingle extension of the Extensible Messaging and Presence Protocol (XMPP) protocol plug-in in Pidgin. A remote attacker could use these flaws to crash Pidgin via a specially crafted Jingle multimedia message.
(CVE-2011-4602)

Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Evgeny Boger as the original reporter of CVE-2011-4601; Diego Bauche Madero from IOActive as the original reporter of CVE-2011-4603; and Thijs Alkemade as the original reporter of CVE-2011-4602.

All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect.

Multiple vulnerabilities has been discovered and corrected in pidgin :

When receiving various stanzas related to voice and video chat, the XMPP protocol plugin failed to ensure that the incoming message contained all required fields, and would crash if certain fields were missing.

When receiving various messages related to requesting or receiving authorization for adding a buddy to a buddy list, the oscar protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash (CVE-2011-4601).

When receiving various incoming messages, the SILC protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash (CVE-2011-3594).

This update provides pidgin 2.10.1, which is not vulnerable to these issues.

ID	Name	Product	Family	Severity
75830	openSUSE Security Update : finch (openSUSE-SU-2012:0066-1)	Nessus	SuSE Local Security Checks	medium
75490	openSUSE Security Update : finch (openSUSE-SU-2012:0066-1)	Nessus	SuSE Local Security Checks	medium
74639	openSUSE Security Update : pidgin (openSUSE-2012-29)	Nessus	SuSE Local Security Checks	medium
68409	Oracle Linux 6 : pidgin (ELSA-2011-1821)	Nessus	Oracle Linux Local Security Checks	medium
68408	Oracle Linux 4 : pidgin (ELSA-2011-1820)	Nessus	Oracle Linux Local Security Checks	medium
61209	Scientific Linux Security Update : pidgin on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
61208	Scientific Linux Security Update : pidgin on SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
59903	Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : pidgin vulnerabilities (USN-1500-1)	Nessus	Ubuntu Local Security Checks	high
57466	SuSE 10 Security Update : pidgin (ZYPP Patch Number 7901)	Nessus	SuSE Local Security Checks	medium
57465	SuSE 11.1 Security Update : pidgin (SAT Patch Number 5586)	Nessus	SuSE Local Security Checks	medium
57450	Fedora 15 : pidgin-2.10.1-1.fc15 (2011-17546)	Nessus	Fedora Local Security Checks	medium
57444	Fedora 16 : pidgin-2.10.1-1.fc16 (2011-17558)	Nessus	Fedora Local Security Checks	medium
57381	CentOS 6 : pidgin (CESA-2011:1821)	Nessus	CentOS Local Security Checks	medium
57318	Pidgin < 2.10.1 Multiple Vulnerabilities	Nessus	Windows	medium
57312	RHEL 6 : pidgin (RHSA-2011:1821)	Nessus	Red Hat Local Security Checks	high
57311	RHEL 4 / 5 : pidgin (RHSA-2011:1820)	Nessus	Red Hat Local Security Checks	high
57307	CentOS 4 / 5 : pidgin (CESA-2011:1820)	Nessus	CentOS Local Security Checks	medium
57079	Mandriva Linux Security Advisory : pidgin (MDVSA-2011:183)	Nessus	Mandriva Local Security Checks	medium

Detections

Analytics

CVE-2011-4601

high

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

high

high

medium

medium