Debian Security Advisory

DSA-2859-1 pidgin -- several vulnerabilities

Date Reported:

10 Feb 2014

Affected Packages:

Vulnerable:

Yes

Security database references:

More information:

Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client:

CVE-2013-6477
Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future.
CVE-2013-6478
Pidgin could be crashed through overly wide tooltip windows.
CVE-2013-6479
Jacob Appelbaum discovered that a malicious server or a man in the middle could send a malformed HTTP header resulting in denial of service.
CVE-2013-6481
Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages.
CVE-2013-6482
Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages.
CVE-2013-6483
Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages.
CVE-2013-6484
It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash.
CVE-2013-6485
Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses.
CVE-2013-6487
Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages.
CVE-2013-6489
Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons.
CVE-2013-6490
Yves Younan discovered a buffer overflow when parsing SIMPLE headers.
CVE-2014-0020
Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments.

For the oldstable distribution (squeeze), no direct backport is provided. A fixed package will be provided through backports.debian.org shortly.

For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1.

For the unstable distribution (sid), these problems have been fixed in version 2.10.9-1.

We recommend that you upgrade your pidgin packages.