Pidgin < 2.5.6 Multiple Buffer Overflows

High Nessus Plugin ID 38866


The remote host is running an instant messaging client that is affected by multiple buffer overflow vulnerabilities.


The remote host is running Pidgin earlier than 2.5.6. Such versions are reportedly affected by multiple buffer overflow vulnerabilities :

- A buffer overflow is possible when initiating a file transfer to a malicious buddy over XMPP. (CVE-2009-1373)

- A buffer overflow issue in the 'decrypt_out()' function can be exploited through specially crafted 'QQ' packets.

- A buffer maintained by PurpleCircBuffer which is used by XMPP and Sametime protocol plugins can be corrupted if it's exactly full and then more bytes are added to it.

- An integer-overflow issue exists in the application due to an incorrect typecasting of 'int64' to 'size_t'.


Upgrade to Pidgin 2.5.6 or later.

See Also

Plugin Details

Severity: High

ID: 38866

File Name: pidgin_2_5_6.nasl

Version: 1.12

Type: local

Agent: windows

Family: Windows

Published: 2009/05/22

Updated: 2018/07/24

Dependencies: 34205

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:pidgin:pidgin

Required KB Items: SMB/Pidgin/Version

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2009-1373, CVE-2009-1374, CVE-2009-1375, CVE-2009-1376

BID: 35067

CWE: 119, 189