Summary
Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client:
CVE-2014-3694
It was discovered that the SSL/TLS plugins failed to validate the basic constraints extension in intermediate CA certificates.
CVE-2014-3695
Yves Younan and Richard Johnson discovered that emotictons with overly large length values could crash Pidgin.
CVE-2014-3696
Yves Younan and Richard Johnson discovered that malformed Groupwise messages could crash Pidgin.
CVE-2014-3698
Thijs Alkemade and Paul Aurich discovered that malformed XMPP messages could result in memory disclosure.
Solution
For the stable distribution (wheezy), these problems have been fixed in version 2.10.10-1~deb7u1.
For the unstable distribution (sid), these problems have been fixed in version 2.10.10-1.
We recommend that you upgrade your pidgin packages.
Insight
Pidgin is a graphical, modular instant messaging client capable of using multiple networks at once. Currently supported are:
AIM/ICQ, Yahoo!, MSN, IRC, Jabber/XMPP/Google Talk, Napster, Zephyr, Gadu-Gadu, Bonjour, Groupwise, Sametime, SIMPLE, MySpaceIM, and MXit.
Affected
pidgin on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-3694, CVE-2014-3695, CVE-2014-3696, CVE-2014-3698 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities