Mandriva Linux Security Advisory : pidgin (MDVSA-2010:041)

Medium Nessus Plugin ID 44664


The remote Mandriva Linux host is missing one or more security updates.


Multiple security vulnerabilities has been identified and fixed in pidgin :

Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277).

In a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420).

oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423).

Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers.

This update provides pidgin 2.6.6, which is not vulnerable to these issues.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 44664

File Name: mandriva_MDVSA-2010-041.nasl

Version: $Revision: 1.13 $

Type: local

Published: 2010/02/19

Modified: 2016/11/28

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:finch, p-cpe:/a:mandriva:linux:lib64finch0, p-cpe:/a:mandriva:linux:lib64purple-devel, p-cpe:/a:mandriva:linux:lib64purple0, p-cpe:/a:mandriva:linux:libfinch0, p-cpe:/a:mandriva:linux:libpurple-devel, p-cpe:/a:mandriva:linux:libpurple0, p-cpe:/a:mandriva:linux:pidgin, p-cpe:/a:mandriva:linux:pidgin-bonjour, p-cpe:/a:mandriva:linux:pidgin-client, p-cpe:/a:mandriva:linux:pidgin-gevolution, p-cpe:/a:mandriva:linux:pidgin-i18n, p-cpe:/a:mandriva:linux:pidgin-meanwhile, p-cpe:/a:mandriva:linux:pidgin-mono, p-cpe:/a:mandriva:linux:pidgin-perl, p-cpe:/a:mandriva:linux:pidgin-plugins, p-cpe:/a:mandriva:linux:pidgin-silc, p-cpe:/a:mandriva:linux:pidgin-tcl, cpe:/o:mandriva:linux:2008.0, cpe:/o:mandriva:linux:2009.1, cpe:/o:mandriva:linux:2010.0

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2010/02/18

Reference Information

CVE: CVE-2010-0277, CVE-2010-0420, CVE-2010-0423

BID: 38294

MDVSA: 2010:041

CWE: 20, 399