Pidgin < 2.10.2 Multiple DoS

This script is Copyright (C) 2012-2016 Tenable Network Security, Inc.


Synopsis :

An instant messaging client installed on the remote Windows host is
potentially affected by multiple denial of service vulnerabilities.

Description :

The version of Pidgin installed on the remote host is earlier than
2.10.2 and is potentially affected by the following issues :

- A denial of service vulnerability (NULL pointer
dereference) in the 'pidgin_conv_chat_rename_user'
function in 'gtkconv.c'. Remote attackers can trigger
the vulnerability by performing certain types of
nickname changes while in an XMPP chat room.
(CVE-2011-4939)

- The msn_oim_report_to_user function in oim.c allows
remote servers to cause an application crash by
sending an OIM message without UTF-8 encoding.
(CVE-2012-1178)

See also :

http://developer.pidgin.im/ticket/14392
http://pidgin.im/news/security/?id=60
http://pidgin.im/news/security/?id=61
http://developer.pidgin.im/ticket/14884

Solution :

Upgrade to Pidgin 2.10.2 or later.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 58410 ()

Bugtraq ID: 52475
52476

CVE ID: CVE-2011-4939
CVE-2012-1178

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now