ID CVE-2010-0277
Summary slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.
References
Vulnerable Configurations
  • Pidgin 2.6.4
    cpe:2.3:a:pidgin:pidgin:2.6.4
  • cpe:2.3:a:adium:adium:1.3.8
    cpe:2.3:a:adium:adium:1.3.8
  • Pidgin 2.5.9
    cpe:2.3:a:pidgin:pidgin:2.5.9
  • Pidgin 2.5.8
    cpe:2.3:a:pidgin:pidgin:2.5.8
  • Pidgin 2.5.2
    cpe:2.3:a:pidgin:pidgin:2.5.2
  • Pidgin 2.5.3
    cpe:2.3:a:pidgin:pidgin:2.5.3
  • Pidgin 2.5.0
    cpe:2.3:a:pidgin:pidgin:2.5.0
  • Pidgin 2.5.1
    cpe:2.3:a:pidgin:pidgin:2.5.1
  • Pidgin 2.5.4
    cpe:2.3:a:pidgin:pidgin:2.5.4
  • Pidgin 2.5.5
    cpe:2.3:a:pidgin:pidgin:2.5.5
  • Pidgin 2.5.6
    cpe:2.3:a:pidgin:pidgin:2.5.6
  • Pidgin 2.5.6
    cpe:2.3:a:pidgin:pidgin:2.5.7
  • Pidgin 2.6.5
    cpe:2.3:a:pidgin:pidgin:2.6.5
  • Pidgin 2.6.2
    cpe:2.3:a:pidgin:pidgin:2.6.2
  • Pidgin 2.6.1
    cpe:2.3:a:pidgin:pidgin:2.6.1
  • Pidgin 2.6.0
    cpe:2.3:a:pidgin:pidgin:2.6.0
  • Pidgin 2.4.0
    cpe:2.3:a:pidgin:pidgin:2.4.0
  • Pidgin 2.4.1
    cpe:2.3:a:pidgin:pidgin:2.4.1
  • Pidgin 2.4.2
    cpe:2.3:a:pidgin:pidgin:2.4.2
  • Pidgin 2.4.3
    cpe:2.3:a:pidgin:pidgin:2.4.3
  • Pidgin 2.3.1
    cpe:2.3:a:pidgin:pidgin:2.3.1
  • Pidgin 2.3.0
    cpe:2.3:a:pidgin:pidgin:2.3.0
  • Pidgin 2.2.0
    cpe:2.3:a:pidgin:pidgin:2.2.0
  • Pidgin 2.2.1
    cpe:2.3:a:pidgin:pidgin:2.2.1
  • Pidgin 2.2.2
    cpe:2.3:a:pidgin:pidgin:2.2.2
  • Pidgin 2.1.1
    cpe:2.3:a:pidgin:pidgin:2.1.1
  • Pidgin 2.1.0
    cpe:2.3:a:pidgin:pidgin:2.1.0
  • Pidgin 2.0.2
    cpe:2.3:a:pidgin:pidgin:2.0.2
  • Pidgin 2.0.1
    cpe:2.3:a:pidgin:pidgin:2.0.1
  • Pidgin 2.0.0
    cpe:2.3:a:pidgin:pidgin:2.0.0
CVSS
Base: 5.0 (as of 11-01-2010 - 10:22)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_143318-03.NASL
    description GNOME 2.6.0_x86: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10
    last seen 2018-10-31
    modified 2018-10-29
    plugin id 108035
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108035
    title Solaris 10 (x86) : 143318-03
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_143317-03.NASL
    description GNOME 2.6.0: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10
    last seen 2018-10-27
    modified 2018-10-26
    plugin id 107540
    published 2018-03-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=107540
    title Solaris 10 (sparc) : 143317-03
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0115.NASL
    description Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 44666
    published 2010-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44666
    title RHEL 4 / 5 : pidgin (RHSA-2010:0115)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-041.NASL
    description Multiple security vulnerabilities has been identified and fixed in pidgin : Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277). In a user in a multi-user chat room has a nickname containing '
    ' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420). oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides pidgin 2.6.6, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 44664
    published 2010-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44664
    title Mandriva Linux Security Advisory : pidgin (MDVSA-2010:041)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_FINCH-100219.NASL
    description This update of pidgin fixes various security vulnerabilities - CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22) Remote file disclosure vulnerability by using the MSN protocol. - CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. - CVE-2010-0420 Same nick names in XMPP MUC lead to a crash in finch. - CVE-2010-0423 A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44982
    published 2010-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44982
    title openSUSE Security Update : finch (finch-2032)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-085.NASL
    description Security vulnerabilities has been identified and fixed in pidgin : The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277). In a user in a multi-user chat room has a nickname containing '
    ' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420). oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423). Packages for 2009.0 are provided due to the Extended Maintenance Program. This update provides pidgin 2.6.6, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 46177
    published 2010-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46177
    title Mandriva Linux Security Advisory : pidgin (MDVSA-2010:085)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_FINCH-100219.NASL
    description This update of pidgin fixes various security vulnerabilities : - Remote file disclosure vulnerability by using the MSN protocol. (CVE-2010-0013: CVSS v2 Base Score: 4.3 : Path Traversal (CWE-22)) - MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. (CVE-2010-0277: CVSS v2 Base Score: 4.9 : Resource Management Errors (CWE-399)) - Same nick names in XMPP MUC lead to a crash in finch. (CVE-2010-0420) - A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it. (CVE-2010-0423)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44965
    published 2010-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44965
    title SuSE 11 Security Update : pidgin (SAT Patch Number 2019)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100218_PIDGIN_ON_SL4_X.NASL
    description CVE-2010-0277 pidgin MSN protocol plugin memory corruption CVE-2010-0420 pidgin: Finch XMPP MUC Crash CVE-2010-0423 pidgin: Smiley Denial of Service An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420) A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60738
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60738
    title Scientific Linux Security Update : pidgin on SL4.x, SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-902-1.NASL
    description Fabian Yamaguchi discovered that Pidgin incorrectly validated all fields of an incoming message in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0277) Sadrul Habib Chowdhury discovered that Pidgin incorrectly handled certain nicknames in Finch group chat rooms. A remote attacker could use a specially crafted nickname and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0420) Antti Hayrynen discovered that Pidgin incorrectly handled large numbers of smileys. A remote attacker could send a specially crafted message and cause Pidgin to become unresponsive, leading to a denial of service. (CVE-2010-0423). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 44688
    published 2010-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44688
    title Ubuntu 8.04 LTS / 8.10 / 9.04 / 9.10 : pidgin vulnerabilities (USN-902-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_FINCH-100219.NASL
    description This update of pidgin fixes various security vulnerabilities - CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22) Remote file disclosure vulnerability by using the MSN protocol. - CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. - CVE-2010-0420 Same nick names in XMPP MUC lead to a crash in finch. - CVE-2010-0423 A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44979
    published 2010-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44979
    title openSUSE Security Update : finch (finch-2032)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FINCH-6856.NASL
    description This update of pidgin fixes various security vulnerabilities : - Remote file disclosure vulnerability by using the MSN protocol. CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. CVE-2010-0420: Same nick names in XMPP MUC lead to a crash in finch. CVE-2010-0423: A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it. (CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22))
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 51727
    published 2011-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51727
    title SuSE 10 Security Update : pidgin (ZYPP Patch Number 6856)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1934.NASL
    description 2.6.6 with security and numerous minor bug fixes CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 47286
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47286
    title Fedora 13 : pidgin-2.6.6-1.fc13 (2010-1934)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0115.NASL
    description Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 44671
    published 2010-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44671
    title CentOS 4 / 5 : pidgin (CESA-2010:0115)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FINCH-6861.NASL
    description This update of pidgin fixes various security vulnerabilities : - Remote file disclosure vulnerability by using the MSN protocol. CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. CVE-2010-0420: Same nick names in XMPP MUC lead to a crash in finch. CVE-2010-0423: A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it. (CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22))
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 51728
    published 2011-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51728
    title SuSE 10 Security Update : pidgin (ZYPP Patch Number 6861)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_FINCH-100219.NASL
    description This update of pidgin fixes various security vulnerabilities - CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22) Remote file disclosure vulnerability by using the MSN protocol. - CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. - CVE-2010-0420 Same nick names in XMPP MUC lead to a crash in finch. - CVE-2010-0423 A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44976
    published 2010-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44976
    title openSUSE Security Update : finch (finch-2032)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_143318.NASL
    description GNOME 2.6.0_x86: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10 This plugin has been deprecated and either replaced with individual 143318 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 71703
    published 2013-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71703
    title Solaris 10 (x86) : 143318-03 (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1279.NASL
    description 2.6.6 with security and numerous minor bug fixes CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47244
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47244
    title Fedora 11 : pidgin-2.6.6-1.fc11 (2010-1279)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1383.NASL
    description 2.6.6 with security and numerous minor bug fixes CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47252
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47252
    title Fedora 12 : pidgin-2.6.6-1.fc12 (2010-1383)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0115.NASL
    description From Red Hat Security Advisory 2010:0115 : Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68001
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68001
    title Oracle Linux 4 : pidgin (ELSA-2010-0115)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2010-069-01.NASL
    description New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix denial of service issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 45024
    published 2010-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45024
    title Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : pidgin (SSA:2010-069-01)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A2C4D3D54C7B11DF83FB0015587E2CC1.NASL
    description Three denial of service vulnerabilities where found in pidgin and allow remote attackers to crash the application. The developers summarized these problems as follows : Pidgin can become unresponsive when displaying large numbers of smileys Certain nicknames in group chat rooms can trigger a crash in Finch Failure to validate all fields of an incoming message can trigger a crash
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 45585
    published 2010-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45585
    title FreeBSD : pidgin -- multiple remote denial of service vulnerabilities (a2c4d3d5-4c7b-11df-83fb-0015587e2cc1)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_143317.NASL
    description GNOME 2.6.0: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10 This plugin has been deprecated and either replaced with individual 143317 patch-revision plugins, or deemed non-security related.
    last seen 2019-02-21
    modified 2018-07-30
    plugin id 71656
    published 2013-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71656
    title Solaris 10 (sparc) : 143317-03 (deprecated)
oval via4
  • accepted 2013-09-30T04:01:05.961-04:00
    class vulnerability
    contributors
    name Shane Shaffer
    organization G2, Inc.
    definition_extensions
    comment Pidgin is installed
    oval oval:org.mitre.oval:def:12366
    description slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.
    family windows
    id oval:org.mitre.oval:def:18348
    status accepted
    submitted 2013-08-16T15:36:10.221-04:00
    title slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013
    version 4
  • accepted 2013-04-29T04:19:18.591-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.
    family unix
    id oval:org.mitre.oval:def:9421
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.
    version 24
redhat via4
advisories
rhsa
id RHSA-2010:0115
rpms
  • finch-0:2.6.6-1.el4
  • finch-devel-0:2.6.6-1.el4
  • libpurple-0:2.6.6-1.el4
  • libpurple-devel-0:2.6.6-1.el4
  • libpurple-perl-0:2.6.6-1.el4
  • libpurple-tcl-0:2.6.6-1.el4
  • pidgin-0:2.6.6-1.el4
  • pidgin-devel-0:2.6.6-1.el4
  • pidgin-perl-0:2.6.6-1.el4
  • finch-0:2.6.6-1.el5
  • finch-devel-0:2.6.6-1.el5
  • libpurple-0:2.6.6-1.el5
  • libpurple-devel-0:2.6.6-1.el5
  • libpurple-perl-0:2.6.6-1.el5
  • libpurple-tcl-0:2.6.6-1.el5
  • pidgin-0:2.6.6-1.el5
  • pidgin-devel-0:2.6.6-1.el5
  • pidgin-perl-0:2.6.6-1.el5
refmap via4
bid 38294
confirm
fedora
  • FEDORA-2010-1279
  • FEDORA-2010-1383
  • FEDORA-2010-1934
mandriva
  • MDVSA-2010:041
  • MDVSA-2010:085
misc http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
mlist [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload
secunia
  • 38563
  • 38640
  • 38658
  • 38712
  • 38915
  • 41868
suse SUSE-SR:2010:006
ubuntu USN-902-1
vupen
  • ADV-2010-0413
  • ADV-2010-1020
  • ADV-2010-2693
statements via4
contributor Tomas Hoger
lastmodified 2010-02-22
organization Red Hat
statement This issue was addressed for Red Hat Enterprise Linux 4 and 5 via https://rhn.redhat.com/errata/RHSA-2010-0115.html We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3 as the MSN protocol support in the provided version of Pidgin (1.5.1) is out-dated and no longer supported by MSN servers. There are no plans to backport MSN protocol changes for that version of Pidgin.
Last major update 02-11-2013 - 22:56
Published 09-01-2010 - 13:30
Last modified 18-09-2017 - 21:30
Back to Top