Vulnerabilities > CVE-2009-3615 - Resource Management Errors vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2009-10702.NASL description This update fixes : - Bug #529357 - CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42195 published 2009-10-22 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42195 title Fedora 10 : pidgin-2.6.3-2.fc10 (2009-10702) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1535.NASL description An updated pidgin package that fixes several security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) All Pidgin users should upgrade to this updated package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 42309 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42309 title CentOS 3 : pidgin (CESA-2009:1535) NASL family SuSE Local Security Checks NASL id SUSE_11_FINCH-090221.NASL description This update of pidgin fixes the following issues : - Allowed to send confidential data unencrypted even if SSL was chosen by user. (CVE-2009-3026: CVSS v2 Base Score: 5.0) - Remote denial of service in yahoo IM plug-in. (CVE-2009-3025: CVSS v2 Base Score: 4.3) - Remote denial of service in MSN plug-in. (CVE-2009-3083: CVSS v2 Base Score: 5.0) - Remote denial of service in MSN plug-in. (CVE-2009-3084: CVSS v2 Base Score: 5.0) - Remote denial of service in XMPP plug-in. (CVE-2009-3085: CVSS v2 Base Score: 5.0) - Remote denial of service in ICQ plug-in. (CVE-2009-3615: CVSS v2 Base Score: 5.0) last seen 2020-06-01 modified 2020-06-02 plugin id 42989 published 2009-12-03 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42989 title SuSE 11 Security Update : pidgin (SAT Patch Number 1604) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1535.NASL description From Red Hat Security Advisory 2009:1535 : An updated pidgin package that fixes several security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) All Pidgin users should upgrade to this updated package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 67950 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67950 title Oracle Linux 3 : pidgin (ELSA-2009-1535) NASL family SuSE Local Security Checks NASL id SUSE_FINCH-6709.NASL description This update of pidgin fixes the following issues : - Allowed to send confidential data unencrypted even if SSL was chosen by user. (CVE-2009-3026: CVSS v2 Base Score: 5.0) - Remote denial of service in yahoo IM plug-in. (CVE-2009-3025: CVSS v2 Base Score: 4.3) - Remote denial of service in MSN plug-in. (CVE-2009-3083: CVSS v2 Base Score: 5.0) - Remote denial of service in MSN plug-in. (CVE-2009-3084: CVSS v2 Base Score: 5.0) - Remote denial of service in XMPP plug-in. (CVE-2009-3085: CVSS v2 Base Score: 5.0) - Remote denial of service in ICQ plug-in. (CVE-2009-3615: CVSS v2 Base Score: 5.0) - QQ protocol upgrade Migrate all QQ accounts to QQ2008. last seen 2020-06-01 modified 2020-06-02 plugin id 51725 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51725 title SuSE 10 Security Update : pidgin (ZYPP Patch Number 6709) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1932.NASL description It was discovered that incorrect pointer handling in the purple library, an internal component of the multi-protocol instant messaging client Pidgin, could lead to denial of service or the execution of arbitrary code through malformed contact requests. last seen 2020-06-01 modified 2020-06-02 plugin id 44797 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44797 title Debian DSA-1932-1 : pidgin - programming error NASL family Fedora Local Security Checks NASL id FEDORA_2009-10662.NASL description This update fixes : - Bug #529357 - CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 42193 published 2009-10-22 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42193 title Fedora 11 : pidgin-2.6.3-2.fc11 (2009-10662) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1536.NASL description Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for Communication in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) These packages upgrade Pidgin to version 2.6.3. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 42330 published 2009-11-02 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42330 title CentOS 4 / 5 : pidgin (CESA-2009:1536) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-886-1.NASL description It was discovered that Pidgin did not properly handle certain topic messages in the IRC protocol handler. If a user were tricked into connecting to a malicious IRC server, an attacker could cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703) It was discovered that Pidgin did not properly enforce the last seen 2020-06-01 modified 2020-06-02 plugin id 44057 published 2010-01-19 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44057 title Ubuntu 8.04 LTS / 8.10 / 9.04 / 9.10 : pidgin vulnerabilities (USN-886-1) NASL family Scientific Linux Local Security Checks NASL id SL_20091029_PIDGIN_ON_SL3_X.NASL description An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) - SL3 only A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) - SL3 only Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 60686 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60686 title Scientific Linux Security Update : pidgin on SL3.x, SL4.x, SL5.x i386/x86_64 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1535.NASL description An updated pidgin package that fixes several security issues is now available for Red Hat Enterprise Linux 3. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) A NULL pointer dereference flaw was found in the way the Pidgin IRC protocol plug-in handles IRC topics. A malicious IRC server could send a specially crafted IRC TOPIC message, which once received by Pidgin, would lead to a denial of service (Pidgin crash). (CVE-2009-2703) A NULL pointer dereference flaw was found in the way the Pidgin MSN protocol plug-in handles improper MSNSLP invitations. A remote attacker could send a specially crafted MSNSLP invitation request, which once accepted by a valid Pidgin user, would lead to a denial of service (Pidgin crash). (CVE-2009-3083) All Pidgin users should upgrade to this updated package, which contains backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 42312 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42312 title RHEL 3 : pidgin (RHSA-2009:1535) NASL family SuSE Local Security Checks NASL id SUSE_11_0_FINCH-080606.NASL description This update of pidgin fixes the following issues : - CVE-2009-3026: CVSS v2 Base Score: 5.0 Allowed to send confidential data unencrypted even if SSL was chosen by user. - CVE-2009-3025: CVSS v2 Base Score: 4.3 Remote denial of service in yahoo IM plug-in. - CVE-2009-3083: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3084: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3085: CVSS v2 Base Score: 5.0 Remote denial of service in XMPP plug-in. - CVE-2009-3615: CVSS v2 Base Score: 5.0 Remote denial of service in ICQ plug-in. - QQ protocol upgrade Migrate all QQ accounts to QQ2008. last seen 2020-06-01 modified 2020-06-02 plugin id 43050 published 2009-12-08 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43050 title openSUSE Security Update : finch (finch-1625) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_143318-03.NASL description GNOME 2.6.0_x86: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10 last seen 2020-06-01 modified 2020-06-02 plugin id 108035 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108035 title Solaris 10 (x86) : 143318-03 NASL family Solaris Local Security Checks NASL id SOLARIS10_143317.NASL description GNOME 2.6.0: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10 This plugin has been deprecated and either replaced with individual 143317 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 71656 published 2013-12-28 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=71656 title Solaris 10 (sparc) : 143317-03 (deprecated) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2009-1536.NASL description From Red Hat Security Advisory 2009:1536 : Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for Communication in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) These packages upgrade Pidgin to version 2.6.3. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 67951 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67951 title Oracle Linux 4 : pidgin (ELSA-2009-1536) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1536.NASL description Updated pidgin packages that fix a security issue are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for Communication in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems. An invalid pointer dereference bug was found in the way the Pidgin OSCAR protocol implementation processed lists of contacts. A remote attacker could send a specially crafted contact list to a user running Pidgin, causing Pidgin to crash. (CVE-2009-3615) These packages upgrade Pidgin to version 2.6.3. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog All Pidgin users should upgrade to these updated packages, which correct this issue. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 42313 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42313 title RHEL 4 / 5 : pidgin (RHSA-2009:1536) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_143318.NASL description GNOME 2.6.0_x86: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10 This plugin has been deprecated and either replaced with individual 143318 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 71703 published 2013-12-28 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=71703 title Solaris 10 (x86) : 143318-03 (deprecated) NASL family SuSE Local Security Checks NASL id SUSE_11_1_FINCH-081203.NASL description This update of pidgin fixes the following issues : - CVE-2009-3026: CVSS v2 Base Score: 5.0 Allowed to send confidential data unencrypted even if SSL was chosen by user. - CVE-2009-3025: CVSS v2 Base Score: 4.3 Remote denial of service in yahoo IM plug-in. - CVE-2009-3083: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3084: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3085: CVSS v2 Base Score: 5.0 Remote denial of service in XMPP plug-in. - CVE-2009-3615: CVSS v2 Base Score: 5.0 Remote denial of service in ICQ plug-in. - QQ protocol upgrade Migrate all QQ accounts to QQ2008. last seen 2020-06-01 modified 2020-06-02 plugin id 43052 published 2009-12-08 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43052 title openSUSE Security Update : finch (finch-1625) NASL family SuSE Local Security Checks NASL id SUSE_FINCH-6710.NASL description This update of pidgin fixes the following issues : - Allowed to send confidential data unencrypted even if SSL was chosen by user. (CVE-2009-3026: CVSS v2 Base Score: 5.0) - Remote denial of service in yahoo IM plug-in. (CVE-2009-3025: CVSS v2 Base Score: 4.3) - Remote denial of service in MSN plug-in. (CVE-2009-3083: CVSS v2 Base Score: 5.0) - Remote denial of service in MSN plug-in. (CVE-2009-3084: CVSS v2 Base Score: 5.0) - Remote denial of service in XMPP plug-in. (CVE-2009-3085: CVSS v2 Base Score: 5.0) - Remote denial of service in ICQ plug-in. (CVE-2009-3615: CVSS v2 Base Score: 5.0) - QQ protocol upgrade Migrate all QQ accounts to QQ2008. last seen 2020-06-01 modified 2020-06-02 plugin id 51726 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51726 title SuSE 10 Security Update : pidgin (ZYPP Patch Number 6710) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-085.NASL description Security vulnerabilities has been identified and fixed in pidgin : The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Certain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277). In a user in a multi-user chat room has a nickname containing last seen 2020-06-01 modified 2020-06-02 plugin id 46177 published 2010-04-29 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46177 title Mandriva Linux Security Advisory : pidgin (MDVSA-2010:085) NASL family Solaris Local Security Checks NASL id SOLARIS10_143317-03.NASL description GNOME 2.6.0: Instant Messaging patch. Date this patch was last updated by Sun : Nov/30/10 last seen 2020-06-01 modified 2020-06-02 plugin id 107540 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107540 title Solaris 10 (sparc) : 143317-03 NASL family SuSE Local Security Checks NASL id SUSE_11_2_FINCH-091024.NASL description This update of pidgin fixes the following issues : - CVE-2009-3026: CVSS v2 Base Score: 5.0 Allowed to send confidential data unencrypted even if SSL was chosen by user. - CVE-2009-3025: CVSS v2 Base Score: 4.3 Remote denial of service in yahoo IM plug-in. - CVE-2009-3083: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3084: CVSS v2 Base Score: 5.0 Remote denial of service in MSN plug-in. - CVE-2009-3085: CVSS v2 Base Score: 5.0 Remote denial of service in XMPP plug-in. - CVE-2009-3615: CVSS v2 Base Score: 5.0 Remote denial of service in ICQ plug-in. - QQ protocol upgrade Migrate all QQ accounts to QQ2008. last seen 2020-06-01 modified 2020-06-02 plugin id 43054 published 2009-12-08 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/43054 title openSUSE Security Update : finch (finch-1625) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2009-290-02.NASL description New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 42169 published 2009-10-19 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42169 title Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : pidgin (SSA:2009-290-02) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-001.NASL description Security vulnerabilities has been identified and fixed in pidgin : The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615). Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. This update provides pidgin 2.6.5, which is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 43853 published 2010-01-12 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43853 title Mandriva Linux Security Advisory : pidgin (MDVSA-2010:001)
Oval
accepted 2013-09-30T04:01:09.686-04:00 class vulnerability contributors name Shane Shaffer organization G2, Inc. definition_extensions comment Pidgin is installed oval oval:org.mitre.oval:def:12366 description The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client. family windows id oval:org.mitre.oval:def:18388 status accepted submitted 2013-08-16T15:36:10.221-04:00 title The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client version 4 accepted 2013-04-29T04:19:16.114-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 3 oval oval:org.mitre.oval:def:11782 comment CentOS Linux 3.x oval oval:org.mitre.oval:def:16651 comment The operating system installed on the system is Red Hat Enterprise Linux 4 oval oval:org.mitre.oval:def:11831 comment CentOS Linux 4.x oval oval:org.mitre.oval:def:16636 comment Oracle Linux 4.x oval oval:org.mitre.oval:def:15990 comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client. family unix id oval:org.mitre.oval:def:9414 status accepted submitted 2010-07-09T03:56:16-04:00 title The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client. version 27
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
bulletinFamily exploit description CVE ID:CVE-2009-3615 Adium是一款Mac OS X下的多协议即时通信软件。 Adium处理部分oscar协议消息存在错误,远程攻击者可以利用漏洞对应用程序进行拒绝服务攻击。 构建特殊的ICQ消息可触发此漏洞。 Adium 1.x 厂商解决方案 用户可联系供应商升级到Adium 1.3.7版本: http://www.adium.im/?download=10.4 id SSV:12496 last seen 2017-11-19 modified 2009-10-20 published 2009-10-20 reporter Root title Adium ICQ消息拒绝服务漏洞 bulletinFamily exploit description Bugraq ID: 36719 CVE ID:CVE-2009-3615 Pidgin是一款多协议即时通信软件。 Pidgin oscar协议插件处理特殊构建的消息(如ICQ消息)存在问题,可导致不正确内存访问而使应用程序崩溃。 目前没有详细漏洞细节提供。 Pidgin Pidgin 2.6.1 Pidgin Pidgin 2.6 Pidgin Pidgin 2.5.9 Pidgin Pidgin 2.5.8 Pidgin Pidgin 2.5.7 Pidgin Pidgin 2.5.6 Pidgin Pidgin 2.5.6 Pidgin Pidgin 2.5.5 Pidgin Pidgin 2.4.3 Pidgin Pidgin 2.4.3 Pidgin Pidgin 2.4.2 Pidgin Pidgin 2.4.1 Pidgin Pidgin 2.4 Pidgin Pidgin 2.2.2 Pidgin Pidgin 2.2.1 Pidgin Pidgin 2.2 Pidgin Pidgin 2.1 Pidgin Pidgin 2.0.2 Pidgin Pidgin 2.0 用户可联系供应商获得最新版本的程序: Pidgin Pidgin 2.0 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.0.2 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.1 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.2 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.2.1 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.2.2 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.4 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.4.1 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.4.2 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.4.3 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.4.3 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.5.5 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.5.6 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.5.6 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.5.7 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.5.8 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.5.9 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.6 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 Pidgin Pidgin 2.6.1 Pidgin pidgin-2.6.3.tar.bz2 http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.3.tar.bz2 id SSV:12493 last seen 2017-11-19 modified 2009-10-20 published 2009-10-20 reporter Root title Pidgin OSCAR插件非法内存访问拒绝服务漏洞 bulletinFamily exploit description No description provided by source. id SSV:12604 last seen 2017-11-19 modified 2009-11-10 published 2009-11-10 reporter Root source https://www.seebug.org/vuldb/ssvid-12604 title New pidgin packages fix arbitrary code execution
References
- http://developer.pidgin.im/ticket/10481
- http://developer.pidgin.im/viewmtn/revision/info/781682333aea0c801d280c3507ee25552a60bfc0
- http://developer.pidgin.im/wiki/ChangeLog
- http://secunia.com/advisories/37017
- http://secunia.com/advisories/37072
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:085
- http://www.pidgin.im/news/security/?id=41
- http://www.securityfocus.com/bid/36719
- http://www.vupen.com/english/advisories/2009/2949
- http://www.vupen.com/english/advisories/2009/2951
- http://www.vupen.com/english/advisories/2010/1020
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53807
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18388
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9414