Pidgin < 2.10.10 Multiple Vulnerabilities

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

An instant messaging client installed on the remote Windows host is
affected by multiple vulnerabilities.

Description :

The version of Pidgin installed on the remote host is a version prior
to 2.10.10. It is, therefore, affected by the following
vulnerabilities :

- An error exists in the included libpurple library
related the SSL Basic Constraints extension and
Certificate Authority (CA) verification that allows
intermediate certificates to be trusted as a CA.
(CVE-2014-3694)

- An error exists in the included libpurple library
related to emoticon handling that allows an attacker to
crash the application. (CVE-2014-3695)

- An error exists in the included libpurple library
related to 'Groupwise' message handling and UI memory
management that allows an attacker to crash the
application. (CVE-2014-3696)

- An error exists related to handling 'untar' operations
on 'smiley themes' that allows arbitrary file
overwrites. This issue only affects installs on
Microsoft Windows. (CVE-2014-3697)

- An error exists in the included libpurple library
related to handling XMPP messages that allows an
attacker to obtain arbitrary memory contents.
(CVE-2014-3698)

See also :

https://developer.pidgin.im/wiki/ChangeLog#version2.10.1010222014
http://pidgin.im/news/security/?id=86
http://pidgin.im/news/security/?id=87
http://pidgin.im/news/security/?id=88
http://pidgin.im/news/security/?id=89
http://pidgin.im/news/security/?id=90

Solution :

Upgrade to Pidgin 2.10.10 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 78689 ()

Bugtraq ID: 70701
70702
70703
70704
70705

CVE ID: CVE-2014-3694
CVE-2014-3695
CVE-2014-3696
CVE-2014-3697
CVE-2014-3698

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now