Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme.

- Update to version 2.10.10 :

  + General :

  - Check the basic constraints extension when validating     SSL/TLS certificates. This fixes a security hole that     allowed a malicious man-in-the-middle to impersonate an     IM server or any other https endpoint. This affected     both the NSS and GnuTLS plugins (CVE-2014-3694,     boo#902495).

  - Allow and prefer TLS 1.2 and 1.1 when using the NSS     plugin for SSL (im#15909).

  + libpurple3 compatibility :

  - Encrypted account passwords are preserved until the new     one is set.

  - Fix loading Google Talk and Facebook XMPP accounts.

  + Windows-Specific Changes: Don't allow overwriting     arbitrary files on the file system when the user     installs a smiley theme via drag-and-drop     (CVE-2014-3697).

  + Finch: Fix build against Python 3 (im#15969).

  + Gadu-Gadu: Updated internal libgadu to version 1.12.0.

  + Groupwise: Fix potential remote crash parsing server     message that indicates that a large amount of memory     should be allocated (CVE-2014-3696, boo#902410).

  + IRC: Fix a possible leak of unencrypted data when using     /me command with OTR (im#15750).

  + MXit: Fix potential remote crash parsing a malformed     emoticon response (CVE-2014-3695, boo#902409).

  + XMPP :

  - Fix potential information leak where a malicious XMPP     server and possibly even a malicious remote user could     create a carefully crafted XMPP message that causes     libpurple to send an XMPP message containing arbitrary     memory (CVE-2014-3698, boo#902408).

  - Fix Facebook XMPP roster quirks (im#15041, im#15957).

  + Yahoo: Fix login when using the GnuTLS library for TLS     connections (im#16172, boo#874606).

  - Drop pidgin-gstreamer1.patch: causes crashes and Video     still does not work (boo#853038). Drop BuildRequires     conditions switching to GStreamer 1.0.

  - Rebase pidgin-crash-missing-gst-registry.patch.

  + add pidgin-crash-missing-gst-registry.patch according to     the GST doc, 'gst_init' should be called before any     other calls.

The following issues were fixed in this update :

  + General :

  - Check the basic constraints extension when validating     SSL/TLS certificates. This fixes a security hole that     allowed a malicious man-in-the-middle to impersonate an     IM server or any other https endpoint. This affected     both the NSS and GnuTLS plugins (CVE-2014-3694,     boo#902495).

  - Allow and prefer TLS 1.2 and 1.1 when using the NSS     plugin for SSL (im#15909).

  + libpurple3 compatibility :

  - Encrypted account passwords are preserved until the new     one is set.

  - Fix loading Google Talk and Facebook XMPP accounts.

  + Groupwise: Fix potential remote crash parsing server     message that indicates that a large amount of memory     should be allocated (CVE-2014-3696, boo#902410).

  + IRC: Fix a possible leak of unencrypted data when using     /me command with OTR (im#15750).

  + MXit: Fix potential remote crash parsing a malformed     emoticon response (CVE-2014-3695, boo#902409).

  + XMPP :

  - Fix potential information leak where a malicious XMPP     server and possibly even a malicious remote user could     create a carefully crafted XMPP message that causes     libpurple to send an XMPP message containing arbitrary     memory (CVE-2014-3698, boo#902408).

  + Yahoo: Fix login when using the GnuTLS library for TLS     connections (im#16172, boo#874606).

The version of Pidgin installed on the remote host is a version prior to 2.10.10. It is, therefore, affected by the following vulnerabilities :

  - An error exists in the included libpurple library     related the SSL Basic Constraints extension and     Certificate Authority (CA) verification that allows     intermediate certificates to be trusted as a CA.
    (CVE-2014-3694)

  - An error exists in the included libpurple library     related to emoticon handling that allows an attacker to     crash the application. (CVE-2014-3695)

  - An error exists in the included libpurple library     related to 'Groupwise' message handling and UI memory     management that allows an attacker to crash the     application. (CVE-2014-3696)

  - An error exists related to handling 'untar' operations     on 'smiley themes' that allows arbitrary file     overwrites. This issue only affects installs on     Microsoft Windows. (CVE-2014-3697)

  - An error exists in the included libpurple library     related to handling XMPP messages that allows an     attacker to obtain arbitrary memory contents.
    (CVE-2014-3698)

New pidgin packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

The remote host is running a vulnerable version of Pidgin chat client.  This version of Pidgin is vulnerable to multiple flaws which would allow an attacker to read/write arbitrary data, subvert security tokens, cause a denial of service, and more.

ID	Name	Product	Family	Severity
79223	openSUSE Security Update : pidgin (openSUSE-SU-2014:1397-1)	Nessus	SuSE Local Security Checks	medium
79101	openSUSE Security Update : pidgin (openSUSE-SU-2014:1376-1)	Nessus	SuSE Local Security Checks	medium
78689	Pidgin < 2.10.10 Multiple Vulnerabilities	Nessus	Windows	medium
78663	FreeBSD : libpurple/pidgin -- multiple vulnerabilities (d057c5e6-5b20-11e4-bebd-000c2980a9f3)	Nessus	FreeBSD Local Security Checks	medium
78657	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : pidgin (SSA:2014-296-02)	Nessus	Slackware Local Security Checks	medium
8575	Pidgin < 2.10.10	Nessus Network Monitor	Internet Messengers	medium

Detections

Analytics

CVE-2014-3697

high

Tenable Plugins

medium

medium

medium

medium

medium

medium