Debian Security Advisory DSA 2859-1 (pidgin - several vulnerabilities)

  1. Network Vulnerabilities
  2. Debian Local Security Checks
  3. Debian Security Advisory DSA 2859-1 (pidgin - several vulnerabilities)
Summary
Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client: CVE-2013-6477 Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future. CVE-2013-6478 Pidgin could be crashed through overly wide tooltip windows. CVE-2013-6479Jacob Appelbaum discovered that a malicious server or a man in the middle could send a malformed HTTP header resulting in denial of service. CVE-2013-6481 Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages. CVE-2013-6482 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages. CVE-2013-6483 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages. CVE-2013-6484 It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash. CVE-2013-6485 Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses. CVE-2013-6487 Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages. CVE-2013-6489 Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons. CVE-2013-6490 Yves Younan discovered a buffer overflow when parsing SIMPLE headers. CVE-2014-0020 Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments.
Solution
For the oldstable distribution (squeeze), no direct backport is provided. A fixed package will be provided through backports.debian.org shortly. For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2.10.9-1. We recommend that you upgrade your pidgin packages.
Insight
Pidgin is a graphical, modular instant messaging client capable of using multiple networks at once. Currently supported are: AIM/ICQ, Yahoo!, MSN, IRC, Jabber/XMPP/Google Talk, Napster, Zephyr, Gadu-Gadu, Bonjour, Groupwise, Sametime, SIMPLE, MySpaceIM, and MXit.
Affected
pidgin on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
High Severity
Classification
Related Vulnerabilities