Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0013 Multiple vulnerabilities have been identified in Pidgin 3 February 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Pidgin Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0020 CVE-2013-6490 CVE-2013-6489 CVE-2013-6487 CVE-2013-6486 CVE-2013-6485 CVE-2013-6484 CVE-2013-6483 CVE-2013-6482 CVE-2013-6481 CVE-2013-6479 CVE-2013-6478 CVE-2013-6477 CVE-2012-6152 CVE-2011-3185 Member content until: Wednesday, March 5 2014 OVERVIEW A number of vulnerabilities have been identified in Pidgin prior to version 2.10.8. IMPACT The vendor has provided the following details regarding these vulnerabilities: "CVE-2012-6152: Many places in the Yahoo! protocol plugin assumed incoming strings were UTF-8 and failed to transcode from non-UTF-8 encodings. This can lead to a crash when receiving strings that aren't UTF-8." [1] "CVE-2013-6477: A remote XMPP user can trigger a crash on some systems by sending a message with a timestamp in the distant future." [2] "CVE-2013-6478: libX11 forcefully exits when Pidgin tries to create an exceptionally wide tooltip window." [3] "CVE-2013-6479: A malicious server or man-in-the-middle could send a malformed HTTP response that could lead to a crash." [4] "CVE-2013-6481: The Yahoo! protocol plugin failed to validate a length field before trying to read from a buffer, which could result in reading past the end of the buffer which could cause a crash." [5] "CVE-2013-6482: A malformed Content-Length header could lead to a NULL pointer dereference." [6 - 8] "CVE-2013-6483: The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference." [9] "CVE-2013-6484: Incorrect error handling when reading the response from a STUN server could lead to a crash." [10] "CVE-2013-6485: A malicious server or man-in-the-middle could cause a buffer overflow by sending a malformed HTTP response with chunked Transfer-Encoding with invalid chunk sizes." [11] "CVE-2013-6486: If a user clicks on a file:// URI in a received IM in Windows builds of Pidgin, Pidgin attempts to execute the file. This can be dangerous if the file:// URI is a path on a network share. This was originally reported in CVE-2011-3185 in 2011 and we attempted to fix it then, but failed." [12] "CVE-2013-6487: A malicious server or man-in-the-middle could send a large value for Content-Length and cause an integer overflow which could lead to a buffer overflow." [13] "CVE-2013-6489: A specially crafted emoticon value could cause an integer overflow which could lead to a buffer overflow." [14] "CVE-2013-6490: A Content-Length of -1 could lead to a buffer overflow." [15] "CVE-2014-0020: A malicious server or man-in-the-middle could trigger a crash in libpurple by sending a message with fewer than expected arguments." [16] MITIGATION The vendor recommends updating to the latest version of Pidgin to correct these issues. [1 - 16] REFERENCES [1] Yahoo! remote crash from incorrect character encoding http://www.pidgin.im/news/security/?id=70 [2] Crash handling bad XMPP timestamp http://www.pidgin.im/news/security/?id=71 [3] Crash when hovering pointer over a long URL http://www.pidgin.im/news/security/?id=72 [4] Remote crash parsing HTTP responses http://www.pidgin.im/news/security/?id=73 [5] Remote crash reading Yahoo! P2P message http://www.pidgin.im/news/security/?id=74 [6] NULL pointer dereference parsing headers in MSN http://www.pidgin.im/news/security/?id=75 [7] NULL pointer dereference parsing OIM data in MSN http://www.pidgin.im/news/security/?id=76 [8] CVE-2013-6482 http://www.pidgin.im/news/security/?id=77 [9] XMPP doesn't verify 'from' on some iq replies http://www.pidgin.im/news/security/?id=78 [10] Crash reading response from STUN server http://www.pidgin.im/news/security/?id=79 [11] Buffer overflow parsing chunked HTTP responses http://www.pidgin.im/news/security/?id=80 [12] Pidgin uses clickable links to untrusted executables http://www.pidgin.im/news/security/?id=81 [13] Buffer overflow in Gadu-Gadu HTTP parsing http://www.pidgin.im/news/security/?id=82 [14] Buffer overflow in MXit emoticon parsing http://www.pidgin.im/news/security/?id=83 [15] Buffer overflow in SIMPLE header parsing http://www.pidgin.im/news/security/?id=84 [16] Remotely triggerable crash in IRC argument parsing http://www.pidgin.im/news/security/?id=85 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUu8l4BLndAQH1ShLAQJq3w//TITQk1BKWGAOsndn4lazzWdTsZ7WU6Wp TAxNybG6JZsKoccL9EucNBNG1EJfcm3UagRQ4Bwu7x0x1SwIWL+A684JmyK34/kZ SAyj1urLFIXs/ItvJ2t8juvcmEVUVlG9vNZhbAYLZh9LWuuaoqSzDvtgHkvbbyln KCxeAfvUuk+1q/jiUusmmaFvcTfkvhBKMxjT+nC5xVtJXqPL9JdgzhLzH3SyErTq X5XbTIQgsgELoB1iX6r5MFq7CTSG3NfgMW7t6pPPgnsFGm53pvq0wivSl5jxWpaj KG6dBUFaqHxFXwy9o6vcfKPlgNjp6juFTEY7W31nxz3exEFep6a1Wh1FDfLoWbwA g1S8F1220qCn8QbGozlZtT6cbjEIs4jbAtMQ7QKkpEIfo9T8R4bDY0PngAPSypIF y3/DajQsTJbvmt4vMQZ+rAmYYxhLrFTcd6czGgM7Ouna60oUIIuB6i2UU1HB/YiI kbQY1+3oNeuQD8H+WnuXRh8rJriaSEhwSAmJmcWZbsDhUJKImJYXI2qZCD2SdOAs JvJP5sGwuINlmlzbptrrjWcJRFzyRQliicgDW7lwNYbRwf9Grav1p88Xku0R3ldp S2TreaMpBPls+bwCF8OCI/t5dB8Ymck6sJv+/UzHVUiqJoSTl/L3Lnr/YvFRg+tF veuaockzttE= =kmFc -----END PGP SIGNATURE-----