Lucene search

Ubuntu.comUB:CVE-2012-2214

HistoryJul 03, 2012 - 12:00 a.m.

CVE-2012-2214

2012-07-0300:00:00

ubuntu.com

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

70.2%

JSON

proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle
canceled SOCKS5 connection attempts, which allows user-assisted remote
authenticated users to cause a denial of service (application crash) via a
sequence of XMPP file-transfer requests.

Bugs

<https://bugs.launchpad.net/bugs/996691>

Notes

Author	Note
jdstrand	claimed to be fixed in 2.10.4
tyhicks	After my code review and upstream’s confirmation, the vulnerability was introduced sometime after 2.7.11. Upstream believes it was introduced in changeset 31742:e6eb15f2734b

OSVersionArchitecturePackageVersionFilename
ubuntu11.10noarchpidgin< 1:2.10.0-0ubuntu2.1UNKNOWN
ubuntu12.04noarchpidgin< 1:2.10.3-0ubuntu1.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	11.10	noarch	pidgin	< 1:2.10.0-0ubuntu2.1	UNKNOWN
ubuntu	12.04	noarch	pidgin	< 1:2.10.3-0ubuntu1.1	UNKNOWN

References

www.pidgin.im/news/security/?id=62

launchpad.net/bugs/cve/CVE-2012-2214

nvd.nist.gov/vuln/detail/CVE-2012-2214

security-tracker.debian.org/tracker/CVE-2012-2214

ubuntu.com/security/notices/USN-1500-1

www.cve.org/CVERecord?id=CVE-2012-2214

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

70.2%

JSON

Related for UB:CVE-2012-2214