Mandriva Linux Security Advisory : pidgin (MDVSA-2011:183)

Medium Nessus Plugin ID 57079


The remote Mandriva Linux host is missing one or more security updates.


Multiple vulnerabilities has been discovered and corrected in pidgin :

When receiving various stanzas related to voice and video chat, the XMPP protocol plugin failed to ensure that the incoming message contained all required fields, and would crash if certain fields were missing.

When receiving various messages related to requesting or receiving authorization for adding a buddy to a buddy list, the oscar protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash (CVE-2011-4601).

When receiving various incoming messages, the SILC protocol plugin failed to validate that a piece of text was UTF-8. In some cases invalid UTF-8 data would lead to a crash (CVE-2011-3594).

This update provides pidgin 2.10.1, which is not vulnerable to these issues.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 57079

File Name: mandriva_MDVSA-2011-183.nasl

Version: $Revision: 1.6 $

Type: local

Published: 2011/12/12

Modified: 2013/06/01

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:finch, p-cpe:/a:mandriva:linux:lib64finch0, p-cpe:/a:mandriva:linux:lib64purple-devel, p-cpe:/a:mandriva:linux:lib64purple0, p-cpe:/a:mandriva:linux:libfinch0, p-cpe:/a:mandriva:linux:libpurple-devel, p-cpe:/a:mandriva:linux:libpurple0, p-cpe:/a:mandriva:linux:pidgin, p-cpe:/a:mandriva:linux:pidgin-bonjour, p-cpe:/a:mandriva:linux:pidgin-client, p-cpe:/a:mandriva:linux:pidgin-gevolution, p-cpe:/a:mandriva:linux:pidgin-i18n, p-cpe:/a:mandriva:linux:pidgin-meanwhile, p-cpe:/a:mandriva:linux:pidgin-perl, p-cpe:/a:mandriva:linux:pidgin-plugins, p-cpe:/a:mandriva:linux:pidgin-silc, p-cpe:/a:mandriva:linux:pidgin-tcl, cpe:/o:mandriva:linux:2010.1, cpe:/o:mandriva:linux:2011

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/12/10

Reference Information

CVE: CVE-2011-3594, CVE-2011-4601

BID: 49912, 51010

MDVSA: 2011:183