ID CVE-2010-0423
Summary gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
References
Vulnerable Configurations
  • Pidgin 2.6.5
    cpe:2.3:a:pidgin:pidgin:2.6.5
  • Pidgin 2.6.4
    cpe:2.3:a:pidgin:pidgin:2.6.4
  • Pidgin 2.6.2
    cpe:2.3:a:pidgin:pidgin:2.6.2
  • Pidgin 2.6.1
    cpe:2.3:a:pidgin:pidgin:2.6.1
  • Pidgin 2.6.0
    cpe:2.3:a:pidgin:pidgin:2.6.0
  • Pidgin 2.5.9
    cpe:2.3:a:pidgin:pidgin:2.5.9
  • Pidgin 2.5.8
    cpe:2.3:a:pidgin:pidgin:2.5.8
  • Pidgin 2.5.6
    cpe:2.3:a:pidgin:pidgin:2.5.7
  • Pidgin 2.5.6
    cpe:2.3:a:pidgin:pidgin:2.5.6
  • Pidgin 2.5.5
    cpe:2.3:a:pidgin:pidgin:2.5.5
  • Pidgin 2.5.4
    cpe:2.3:a:pidgin:pidgin:2.5.4
  • Pidgin 2.5.3
    cpe:2.3:a:pidgin:pidgin:2.5.3
  • Pidgin 2.5.2
    cpe:2.3:a:pidgin:pidgin:2.5.2
  • Pidgin 2.5.1
    cpe:2.3:a:pidgin:pidgin:2.5.1
  • Pidgin 2.5.0
    cpe:2.3:a:pidgin:pidgin:2.5.0
  • Pidgin 2.4.3
    cpe:2.3:a:pidgin:pidgin:2.4.3
  • Pidgin 2.4.2
    cpe:2.3:a:pidgin:pidgin:2.4.2
  • Pidgin 2.4.1
    cpe:2.3:a:pidgin:pidgin:2.4.1
  • Pidgin 2.4.0
    cpe:2.3:a:pidgin:pidgin:2.4.0
  • Pidgin 2.3.1
    cpe:2.3:a:pidgin:pidgin:2.3.1
  • Pidgin 2.3.0
    cpe:2.3:a:pidgin:pidgin:2.3.0
  • Pidgin 2.2.2
    cpe:2.3:a:pidgin:pidgin:2.2.2
  • Pidgin 2.2.1
    cpe:2.3:a:pidgin:pidgin:2.2.1
  • Pidgin 2.2.0
    cpe:2.3:a:pidgin:pidgin:2.2.0
  • Pidgin 2.1.1
    cpe:2.3:a:pidgin:pidgin:2.1.1
  • Pidgin 2.1.0
    cpe:2.3:a:pidgin:pidgin:2.1.0
  • Pidgin 2.0.2
    cpe:2.3:a:pidgin:pidgin:2.0.2
  • Pidgin 2.0.1
    cpe:2.3:a:pidgin:pidgin:2.0.1
  • Pidgin 2.0.0
    cpe:2.3:a:pidgin:pidgin:2.0.0
CVSS
Base: 5.0 (as of 25-02-2010 - 09:15)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2010-0115.NASL
    description Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 44666
    published 2010-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44666
    title RHEL 4 / 5 : pidgin (RHSA-2010:0115)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-041.NASL
    description Multiple security vulnerabilities has been identified and fixed in pidgin : Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277). In a user in a multi-user chat room has a nickname containing '
    ' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420). oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides pidgin 2.6.6, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 44664
    published 2010-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44664
    title Mandriva Linux Security Advisory : pidgin (MDVSA-2010:041)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2038.NASL
    description Several remote vulnerabilities have been discovered in Pidgin, a multi protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2010-0420 Crafted nicknames in the XMPP protocol can crash Pidgin remotely. - CVE-2010-0423 Remote contacts may send too many custom smilies, crashing Pidgin. Since a few months, Microsoft's servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 45560
    published 2010-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45560
    title Debian DSA-2038-1 : pidgin - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_2_FINCH-100219.NASL
    description This update of pidgin fixes various security vulnerabilities - CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22) Remote file disclosure vulnerability by using the MSN protocol. - CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. - CVE-2010-0420 Same nick names in XMPP MUC lead to a crash in finch. - CVE-2010-0423 A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44982
    published 2010-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44982
    title openSUSE Security Update : finch (finch-2032)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2010-085.NASL
    description Security vulnerabilities has been identified and fixed in pidgin : The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277). In a user in a multi-user chat room has a nickname containing '
    ' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420). oCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423). Packages for 2009.0 are provided due to the Extended Maintenance Program. This update provides pidgin 2.6.6, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 46177
    published 2010-04-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=46177
    title Mandriva Linux Security Advisory : pidgin (MDVSA-2010:085)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_FINCH-100219.NASL
    description This update of pidgin fixes various security vulnerabilities : - Remote file disclosure vulnerability by using the MSN protocol. (CVE-2010-0013: CVSS v2 Base Score: 4.3 : Path Traversal (CWE-22)) - MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. (CVE-2010-0277: CVSS v2 Base Score: 4.9 : Resource Management Errors (CWE-399)) - Same nick names in XMPP MUC lead to a crash in finch. (CVE-2010-0420) - A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it. (CVE-2010-0423)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44965
    published 2010-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44965
    title SuSE 11 Security Update : pidgin (SAT Patch Number 2019)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20100218_PIDGIN_ON_SL4_X.NASL
    description CVE-2010-0277 pidgin MSN protocol plugin memory corruption CVE-2010-0420 pidgin: Finch XMPP MUC Crash CVE-2010-0423 pidgin: Smiley Denial of Service An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420) A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60738
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60738
    title Scientific Linux Security Update : pidgin on SL4.x, SL5.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-902-1.NASL
    description Fabian Yamaguchi discovered that Pidgin incorrectly validated all fields of an incoming message in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0277) Sadrul Habib Chowdhury discovered that Pidgin incorrectly handled certain nicknames in Finch group chat rooms. A remote attacker could use a specially crafted nickname and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0420) Antti Hayrynen discovered that Pidgin incorrectly handled large numbers of smileys. A remote attacker could send a specially crafted message and cause Pidgin to become unresponsive, leading to a denial of service. (CVE-2010-0423). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 44688
    published 2010-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44688
    title Ubuntu 8.04 LTS / 8.10 / 9.04 / 9.10 : pidgin vulnerabilities (USN-902-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_FINCH-100219.NASL
    description This update of pidgin fixes various security vulnerabilities - CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22) Remote file disclosure vulnerability by using the MSN protocol. - CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. - CVE-2010-0420 Same nick names in XMPP MUC lead to a crash in finch. - CVE-2010-0423 A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44979
    published 2010-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44979
    title openSUSE Security Update : finch (finch-2032)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FINCH-6856.NASL
    description This update of pidgin fixes various security vulnerabilities : - Remote file disclosure vulnerability by using the MSN protocol. CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. CVE-2010-0420: Same nick names in XMPP MUC lead to a crash in finch. CVE-2010-0423: A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it. (CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22))
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 51727
    published 2011-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51727
    title SuSE 10 Security Update : pidgin (ZYPP Patch Number 6856)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1934.NASL
    description 2.6.6 with security and numerous minor bug fixes CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 47286
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47286
    title Fedora 13 : pidgin-2.6.6-1.fc13 (2010-1934)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2010-0115.NASL
    description Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 44671
    published 2010-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44671
    title CentOS 4 / 5 : pidgin (CESA-2010:0115)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_FINCH-6861.NASL
    description This update of pidgin fixes various security vulnerabilities : - Remote file disclosure vulnerability by using the MSN protocol. CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. CVE-2010-0420: Same nick names in XMPP MUC lead to a crash in finch. CVE-2010-0423: A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it. (CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22))
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 51728
    published 2011-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51728
    title SuSE 10 Security Update : pidgin (ZYPP Patch Number 6861)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_FINCH-100219.NASL
    description This update of pidgin fixes various security vulnerabilities - CVE-2010-0013: CVSS v2 Base Score: 4.3: Path Traversal (CWE-22) Remote file disclosure vulnerability by using the MSN protocol. - CVE-2010-0277: CVSS v2 Base Score: 4.9: Resource Management Errors (CWE-399) MSN protocol plugin in libpurple allowed remote attackers to cause a denial of service (memory corruption) at least. - CVE-2010-0420 Same nick names in XMPP MUC lead to a crash in finch. - CVE-2010-0423 A remote denial of service attack (resource consumption) is possible by sending an IM with a lot of smilies in it.
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 44976
    published 2010-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=44976
    title openSUSE Security Update : finch (finch-2032)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1279.NASL
    description 2.6.6 with security and numerous minor bug fixes CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47244
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47244
    title Fedora 11 : pidgin-2.6.6-1.fc11 (2010-1279)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2010-1383.NASL
    description 2.6.6 with security and numerous minor bug fixes CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 47252
    published 2010-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47252
    title Fedora 12 : pidgin-2.6.6-1.fc12 (2010-1383)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2010-0115.NASL
    description From Red Hat Security Advisory 2010:0115 : Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277) A denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420) Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue. A denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423) These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68001
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68001
    title Oracle Linux 4 : pidgin (ELSA-2010-0115)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2010-069-01.NASL
    description New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix denial of service issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 45024
    published 2010-03-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45024
    title Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : pidgin (SSA:2010-069-01)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A2C4D3D54C7B11DF83FB0015587E2CC1.NASL
    description Three denial of service vulnerabilities where found in pidgin and allow remote attackers to crash the application. The developers summarized these problems as follows : Pidgin can become unresponsive when displaying large numbers of smileys Certain nicknames in group chat rooms can trigger a crash in Finch Failure to validate all fields of an incoming message can trigger a crash
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 45585
    published 2010-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=45585
    title FreeBSD : pidgin -- multiple remote denial of service vulnerabilities (a2c4d3d5-4c7b-11df-83fb-0015587e2cc1)
oval via4
  • accepted 2013-09-30T04:00:38.133-04:00
    class vulnerability
    contributors
    name Shane Shaffer
    organization G2, Inc.
    definition_extensions
    comment Pidgin is installed
    oval oval:org.mitre.oval:def:12366
    description gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
    family windows
    id oval:org.mitre.oval:def:17554
    status accepted
    submitted 2013-08-16T15:36:10.221-04:00
    title gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat
    version 4
  • accepted 2013-04-29T04:22:42.255-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
    family unix
    id oval:org.mitre.oval:def:9842
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
    version 24
redhat via4
advisories
bugzilla
id 565792
title CVE-2010-0423 pidgin: Smiley Denial of Service
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment finch is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115004
        • comment finch is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023015
      • AND
        • comment finch-devel is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115012
        • comment finch-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023013
      • AND
        • comment libpurple is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115008
        • comment libpurple is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023005
      • AND
        • comment libpurple-devel is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115018
        • comment libpurple-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023017
      • AND
        • comment libpurple-perl is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115010
        • comment libpurple-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023007
      • AND
        • comment libpurple-tcl is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115016
        • comment libpurple-tcl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023019
      • AND
        • comment pidgin is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115002
        • comment pidgin is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20080584003
      • AND
        • comment pidgin-devel is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115014
        • comment pidgin-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023009
      • AND
        • comment pidgin-perl is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115006
        • comment pidgin-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023011
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment finch is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115027
        • comment finch is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584016
      • AND
        • comment finch-devel is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115033
        • comment finch-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584014
      • AND
        • comment libpurple is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115023
        • comment libpurple is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584020
      • AND
        • comment libpurple-devel is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115037
        • comment libpurple-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584018
      • AND
        • comment libpurple-perl is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115029
        • comment libpurple-perl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584010
      • AND
        • comment libpurple-tcl is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115035
        • comment libpurple-tcl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584012
      • AND
        • comment pidgin is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115021
        • comment pidgin is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584008
      • AND
        • comment pidgin-devel is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115025
        • comment pidgin-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584024
      • AND
        • comment pidgin-perl is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115031
        • comment pidgin-perl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584022
rhsa
id RHSA-2010:0115
released 2010-02-18
severity Moderate
title RHSA-2010:0115: pidgin security update (Moderate)
rpms
  • finch-0:2.6.6-1.el4
  • finch-devel-0:2.6.6-1.el4
  • libpurple-0:2.6.6-1.el4
  • libpurple-devel-0:2.6.6-1.el4
  • libpurple-perl-0:2.6.6-1.el4
  • libpurple-tcl-0:2.6.6-1.el4
  • pidgin-0:2.6.6-1.el4
  • pidgin-devel-0:2.6.6-1.el4
  • pidgin-perl-0:2.6.6-1.el4
  • finch-0:2.6.6-1.el5
  • finch-devel-0:2.6.6-1.el5
  • libpurple-0:2.6.6-1.el5
  • libpurple-devel-0:2.6.6-1.el5
  • libpurple-perl-0:2.6.6-1.el5
  • libpurple-tcl-0:2.6.6-1.el5
  • pidgin-0:2.6.6-1.el5
  • pidgin-devel-0:2.6.6-1.el5
  • pidgin-perl-0:2.6.6-1.el5
refmap via4
bid 38294
confirm
debian DSA-2038
fedora
  • FEDORA-2010-1279
  • FEDORA-2010-1383
  • FEDORA-2010-1934
mandriva
  • MDVSA-2010:041
  • MDVSA-2010:085
osvdb 62440
secunia
  • 38563
  • 38640
  • 38658
  • 38712
  • 38915
  • 39509
suse SUSE-SR:2010:006
ubuntu USN-902-1
vupen
  • ADV-2010-0413
  • ADV-2010-0914
  • ADV-2010-1020
xf pidgin-smileys-dos(56394)
statements via4
contributor Tomas Hoger
lastmodified 2010-02-25
organization Red Hat
statement The Red Hat Security Response Team has rated this issue as having low security impact. For Red Hat Enterprise Linux 4 and 5, this issue was addressed via https://rhn.redhat.com/errata/RHSA-2010-0115.html We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3 as the issue only causes Pidgin client to become unresponsive or crash.
Last major update 02-11-2013 - 22:56
Published 24-02-2010 - 13:30
Last modified 18-09-2017 - 21:30
Back to Top