Debian Security Advisory
DSA-2859-1 pidgin -- several vulnerabilities
- Date Reported:
- 10 Feb 2014
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2013-6477, CVE-2013-6478, CVE-2013-6479, CVE-2013-6481, CVE-2013-6482, CVE-2013-6483, CVE-2013-6484, CVE-2013-6485, CVE-2013-6487, CVE-2013-6489, CVE-2013-6490, CVE-2014-0020.
- More information:
Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client:
Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future.
Pidgin could be crashed through overly wide tooltip windows.
Jacob Appelbaum discovered that a malicious server or a
man in the middlecould send a malformed HTTP header resulting in denial of service.
Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages.
Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages.
Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages.
It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash.
Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses.
Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages.
Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons.
Yves Younan discovered a buffer overflow when parsing SIMPLE headers.
Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments.
For the oldstable distribution (squeeze), no direct backport is provided. A fixed package will be provided through backports.debian.org shortly.
For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1.
For the unstable distribution (sid), these problems have been fixed in version 2.10.9-1.
We recommend that you upgrade your pidgin packages.