KLA10433 Multiple vulnerabilities in Pidgin

Multiple serious vulnerabilities have been found in Pidgin. Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary programs and other unknown impact. Below is a complete list of vulnerabilities

1. Improper traffic restrictions can be exploited remotely via a specially designed message;
2. An unknown vulnerability can be exploited remotely via specially designed SOAP or OIM XML responses, Content-Length header, Yahoo! P2P message or specially designed files in messages;
3. An integer overflow can be exploited remotely via a specially designed Content-Length header, emoticon or timestamp;
4. Improper protocol implementation can be exploited remotely via a specially designed STUN server;
5. A buffer overflow can be exploited remotely via a specially designed chunk-size field;
6. Improper library interaction can be exploited remotely via a specially designed URL;

Original advisories

Related products

Pidgin

CVE list

CVE-2013-6489 critical

CVE-2013-6481 critical

CVE-2013-6485 critical

CVE-2013-6477 critical

CVE-2014-0020 critical

CVE-2013-6487 critical

CVE-2013-6486 critical

CVE-2013-6484 critical

CVE-2013-6490 critical

CVE-2013-6478 warning

CVE-2013-6479 critical

CVE-2013-6482 critical

CVE-2013-6483 high

Solution

Update to latest version

Pidgin

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• DoS

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

Affected Products

• Pidgin versions earlier than 2.10.8