Pidgin vulnerabilities

Releases

• Ubuntu 9.10
• Ubuntu 9.04
• Ubuntu 8.10
• Ubuntu 8.04

Packages

• pidgin -

Details

It was discovered that Pidgin did not properly handle certain topic
messages in the IRC protocol handler. If a user were tricked into
connecting to a malicious IRC server, an attacker could cause Pidgin to
crash, leading to a denial of service. This issue only affected Ubuntu 8.04
LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703)

It was discovered that Pidgin did not properly enforce the “require
TLS/SSL” setting when connecting to certain older Jabber servers. If a
remote attacker were able to perform a machine-in-the-middle attack, this flaw
could be exploited to view sensitive information. This issue only affected
Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)

It was discovered that Pidgin did not properly handle certain SLP invite
messages in the MSN protocol handler. A remote attacker could send a
specially crafted invite message and cause Pidgin to crash, leading to a
denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10
and Ubuntu 9.04. (CVE-2009-3083)

It was discovered that Pidgin did not properly handle certain errors in the
XMPP protocol handler. A remote attacker could send a specially crafted
message and cause Pidgin to crash, leading to a denial of service. This
issue only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3085)

It was discovered that Pidgin did not properly handle malformed
contact-list data in the OSCAR protocol handler. A remote attacker could
send specially crafted contact-list data and cause Pidgin to crash, leading
to a denial of service. (CVE-2009-3615)

It was discovered that Pidgin did not properly handle custom smiley
requests in the MSN protocol handler. A remote attacker could send a
specially crafted filename in a custom smiley request and obtain arbitrary
files via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu
9.04 and Ubuntu 9.10. (CVE-2010-0013)

Pidgin for Ubuntu 8.04 LTS was also updated to fix connection issues with
the MSN protocol.

USN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiple
security vulnerabilities in Ubuntu 8.04 LTS. The security patches to fix
CVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects the
problem. Original advisory details:

It was discovered that Pidgin did not properly handle file transfers
containing a long filename and special characters in the MSN protocol
handler. A remote attacker could send a specially crafted filename in a
file transfer request and cause Pidgin to crash, leading to a denial of
service. (CVE-2008-2955)

It was discovered that Pidgin did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a
specially crafted message and possibly execute arbitrary code with user
privileges. (CVE-2009-1376)