Pidgin < 2.10.7 Multiple Vulnerabilities

This script is Copyright (C) 2013-2017 Tenable Network Security, Inc.


Synopsis :

An instant messaging client installed on the remote Windows host is
affected by multiple vulnerabilities.

Description :

The version of Pidgin installed on the remote host is earlier than
2.10.7. It is, therefore, potentially affected by the following
vulnerabilities :

- An error exists related to the 'MXit' plugin and
the saving of images that could allow arbitrary files
to be overwritten. (CVE-2013-0271)

- A stack-based buffer overflow exists in the function
'mxit_cb_http_read' in the file
'libpurple/protocols/mxit/http.c' that could allow
arbitrary code execution when handling certain HTTP
headers. (CVE-2013-0272)

- An error exists in the function 'mw_prpl_normalize' in
the file 'libpurple/protocols/sametime/sametime.c' that
could allow denial of service attacks when handling
user IDs longer than 4096 bytes. (CVE-2013-0273)

- Errors exist in the functions
'upnp_parse_description_cb',
'purple_upnp_discover_send_broadcast',
'looked_up_public_ip_cb', 'looked_up_internal_ip_cb',
'purple_upnp_set_port_mapping', and
'purple_upnp_remove_port_mapping' in the file
'libpurple/upnp.c' that could allow denial of service
attacks when handling certain UPnP response messages.
(CVE-2013-0274)

See also :

http://hg.pidgin.im/pidgin/main/log/ad7e7fb98db3
http://pidgin.im/news/security/?id=65
http://pidgin.im/news/security/?id=66
http://pidgin.im/news/security/?id=67
http://pidgin.im/news/security/?id=68

Solution :

Upgrade to Pidgin 2.10.7 or later.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 64670 ()

Bugtraq ID: 57951
57952
57954

CVE ID: CVE-2013-0271
CVE-2013-0272
CVE-2013-0273
CVE-2013-0274

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now