ID CVE-2010-0423
Summary gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
References
Vulnerable Configurations
  • cpe:2.3:a:pidgin:pidgin:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.8:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.8:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.5.9:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.5.9:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.6.4:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:-:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:-:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.6.3:*:*:*:*:*:*:*
  • cpe:2.3:a:pidgin:pidgin:2.6.5:*:*:*:*:*:*:*
    cpe:2.3:a:pidgin:pidgin:2.6.5:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 19-09-2017 - 01:30)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
oval via4
  • accepted 2013-09-30T04:00:38.133-04:00
    class vulnerability
    contributors
    name Shane Shaffer
    organization G2, Inc.
    definition_extensions
    comment Pidgin is installed
    oval oval:org.mitre.oval:def:12366
    description gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
    family windows
    id oval:org.mitre.oval:def:17554
    status accepted
    submitted 2013-08-16T15:36:10.221-04:00
    title gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat
    version 4
  • accepted 2013-04-29T04:22:42.255-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
    family unix
    id oval:org.mitre.oval:def:9842
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
    version 24
redhat via4
advisories
bugzilla
id 565792
title CVE-2010-0423 pidgin: Smiley Denial of Service
oval
OR
  • AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment finch is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115004
        • comment finch is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023015
      • AND
        • comment finch-devel is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115012
        • comment finch-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023013
      • AND
        • comment libpurple is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115008
        • comment libpurple is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023005
      • AND
        • comment libpurple-devel is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115018
        • comment libpurple-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023017
      • AND
        • comment libpurple-perl is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115010
        • comment libpurple-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023007
      • AND
        • comment libpurple-tcl is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115016
        • comment libpurple-tcl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023019
      • AND
        • comment pidgin is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115002
        • comment pidgin is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20080584003
      • AND
        • comment pidgin-devel is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115014
        • comment pidgin-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023009
      • AND
        • comment pidgin-perl is earlier than 0:2.6.6-1.el4
          oval oval:com.redhat.rhsa:tst:20100115006
        • comment pidgin-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20081023011
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment finch is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115027
        • comment finch is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584016
      • AND
        • comment finch-devel is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115033
        • comment finch-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584014
      • AND
        • comment libpurple is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115023
        • comment libpurple is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584020
      • AND
        • comment libpurple-devel is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115037
        • comment libpurple-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584018
      • AND
        • comment libpurple-perl is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115029
        • comment libpurple-perl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584010
      • AND
        • comment libpurple-tcl is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115035
        • comment libpurple-tcl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584012
      • AND
        • comment pidgin is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115021
        • comment pidgin is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584008
      • AND
        • comment pidgin-devel is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115025
        • comment pidgin-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584024
      • AND
        • comment pidgin-perl is earlier than 0:2.6.6-1.el5
          oval oval:com.redhat.rhsa:tst:20100115031
        • comment pidgin-perl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20080584022
rhsa
id RHSA-2010:0115
released 2010-02-18
severity Moderate
title RHSA-2010:0115: pidgin security update (Moderate)
rpms
  • finch-0:2.6.6-1.el4
  • finch-devel-0:2.6.6-1.el4
  • libpurple-0:2.6.6-1.el4
  • libpurple-devel-0:2.6.6-1.el4
  • libpurple-perl-0:2.6.6-1.el4
  • libpurple-tcl-0:2.6.6-1.el4
  • pidgin-0:2.6.6-1.el4
  • pidgin-devel-0:2.6.6-1.el4
  • pidgin-perl-0:2.6.6-1.el4
  • finch-0:2.6.6-1.el5
  • finch-devel-0:2.6.6-1.el5
  • libpurple-0:2.6.6-1.el5
  • libpurple-devel-0:2.6.6-1.el5
  • libpurple-perl-0:2.6.6-1.el5
  • libpurple-tcl-0:2.6.6-1.el5
  • pidgin-0:2.6.6-1.el5
  • pidgin-devel-0:2.6.6-1.el5
  • pidgin-perl-0:2.6.6-1.el5
refmap via4
bid 38294
confirm
debian DSA-2038
fedora
  • FEDORA-2010-1279
  • FEDORA-2010-1383
  • FEDORA-2010-1934
mandriva
  • MDVSA-2010:041
  • MDVSA-2010:085
osvdb 62440
secunia
  • 38563
  • 38640
  • 38658
  • 38712
  • 38915
  • 39509
suse SUSE-SR:2010:006
ubuntu USN-902-1
vupen
  • ADV-2010-0413
  • ADV-2010-0914
  • ADV-2010-1020
xf pidgin-smileys-dos(56394)
statements via4
contributor Tomas Hoger
lastmodified 2010-02-25
organization Red Hat
statement The Red Hat Security Response Team has rated this issue as having low security impact. For Red Hat Enterprise Linux 4 and 5, this issue was addressed via https://rhn.redhat.com/errata/RHSA-2010-0115.html We currently have no plans to fix this flaw in Red Hat Enterprise Linux 3 as the issue only causes Pidgin client to become unresponsive or crash.
Last major update 19-09-2017 - 01:30
Published 24-02-2010 - 18:30
Back to Top