KLA10932
Multiple vulnerabilities in Pidgin
Updated: 06/17/2019
Detect date
?
06/21/2016
Severity
?
High
Description

Multiple serious vulnerabilities have been found in Pidgin. Malicious users can exploit these vulnerabilities to overwrite arbitrary files, cause denial of service, obtain sensitive information.

Below is a complete list of vulnerabilities:

  1. A directory traversal vulnerability in the handling of MXIT protocol can be exploited remotely via specially designed MXIT data sent from the server to overwrite arbitrary files;
  2. An out-of-bounds read vulnerability can be exploited remotely via specialy designed MXIT data (a particular string) possibly to obtain sensitive information;
  3. A buffer overflow vulnerability in the handling of MXIT protocol can be exploited remotely via specially designed data possibly to cause a denial of service.

Technical details

Vulnerability (1) occurs if liburple is triggered by man-in-the-middle or a malicious server to overwrite local files. The name and and content of these files can be specified by the remote attacker.

To trigger vulnerability (3) a malicious server or man-in-the-middle can send negative length values.

Affected products

Pidgin versions earlier than 2.11.0

Solution

Update to the latest version
Download Pidgin

Original advisories

Pidgin Security Advisory

Impacts
?
OSI 
[?]

DoS 
[?]

OAF 
[?]
CVE-IDS
?