Vulnerabilities > CVE-2012-1178 - Resource Management Errors vulnerability in Pidgin
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_FINCH-120515.NASL description Various remote triggerable crashes in pidgin have been fixed : - In some situations the MSN server sends text that isn last seen 2020-06-05 modified 2013-01-25 plugin id 64128 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64128 title SuSE 11.1 Security Update : finch, libpurple and pidgin (SAT Patch Number 6294) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2012-1102.NASL description Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A flaw was found in the way the Pidgin MSN protocol plug-in processed text that was not encoded in UTF-8. A remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN message. (CVE-2012-1178) An input validation flaw was found in the way the Pidgin MSN protocol plug-in handled MSN notification messages. A malicious server or a remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN notification message. (CVE-2012-2318) A buffer overflow flaw was found in the Pidgin MXit protocol plug-in. A remote attacker could use this flaw to crash Pidgin by sending a MXit message containing specially crafted emoticon tags. (CVE-2012-3374) Red Hat would like to thank the Pidgin project for reporting the CVE-2012-3374 issue. Upstream acknowledges Ulf Harnhammar as the original reporter of CVE-2012-3374. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 60067 published 2012-07-20 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60067 title CentOS 5 / 6 : pidgin (CESA-2012:1102) NASL family Scientific Linux Local Security Checks NASL id SL_20120719_PIDGIN_ON_SL5_X.NASL description Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A flaw was found in the way the Pidgin MSN protocol plug-in processed text that was not encoded in UTF-8. A remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN message. (CVE-2012-1178) An input validation flaw was found in the way the Pidgin MSN protocol plug-in handled MSN notification messages. A malicious server or a remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN notification message. (CVE-2012-2318) A buffer overflow flaw was found in the Pidgin MXit protocol plug-in. A remote attacker could use this flaw to crash Pidgin by sending a MXit message containing specially crafted emoticon tags. (CVE-2012-3374) All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. last seen 2020-03-18 modified 2012-08-01 plugin id 61370 published 2012-08-01 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61370 title Scientific Linux Security Update : pidgin on SL5.x, SL6.x i386/x86_64 (20120719) NASL family SuSE Local Security Checks NASL id SUSE_FINCH-8131.NASL description Various remote triggerable crashes in pidgin have been fixed : - In some situations the MSN server sends text that isn last seen 2020-06-05 modified 2012-06-25 plugin id 59682 published 2012-06-25 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59682 title SuSE 10 Security Update : finch, libpurple, and pidgin (ZYPP Patch Number 8131) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-1102.NASL description From Red Hat Security Advisory 2012:1102 : Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A flaw was found in the way the Pidgin MSN protocol plug-in processed text that was not encoded in UTF-8. A remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN message. (CVE-2012-1178) An input validation flaw was found in the way the Pidgin MSN protocol plug-in handled MSN notification messages. A malicious server or a remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN notification message. (CVE-2012-2318) A buffer overflow flaw was found in the Pidgin MXit protocol plug-in. A remote attacker could use this flaw to crash Pidgin by sending a MXit message containing specially crafted emoticon tags. (CVE-2012-3374) Red Hat would like to thank the Pidgin project for reporting the CVE-2012-3374 issue. Upstream acknowledges Ulf Harnhammar as the original reporter of CVE-2012-3374. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68584 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68584 title Oracle Linux 6 : pidgin (ELSA-2012-1102) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_7289214F7C5511E1AB3B000BCDF0A03B.NASL description US-CERT reports : The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding. last seen 2020-06-01 modified 2020-06-02 plugin id 58556 published 2012-04-02 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58556 title FreeBSD : libpurple -- Remote DoS via an MSN OIM message that lacks UTF-8 encoding (7289214f-7c55-11e1-ab3b-000bcdf0a03b) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-432.NASL description Changes in pidgin : - Fixing bnc#752275, CVE-2012-1178: Pidgin fails to verify the text last seen 2020-06-05 modified 2014-06-13 plugin id 74688 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74688 title openSUSE Security Update : pidgin (openSUSE-SU-2012:0905-1) NASL family Windows NASL id PIDGIN_2_10_2.NASL description The version of Pidgin installed on the remote host is earlier than 2.10.2 and is potentially affected by the following issues : - A denial of service vulnerability (NULL pointer dereference) in the last seen 2020-06-01 modified 2020-06-02 plugin id 58410 published 2012-03-21 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58410 title Pidgin < 2.10.2 Multiple DoS NASL family SuSE Local Security Checks NASL id SUSE_11_FINCH-120516.NASL description Various remote triggerable crashes in pidgin have been fixed : - In some situations the MSN server sends text that isn last seen 2020-06-05 modified 2013-01-25 plugin id 64129 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64129 title SuSE 11.1 Security Update : finch, libpurple and pidgin (SAT Patch Number 6294) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1500-1.NASL description Evgeny Boger discovered that Pidgin incorrectly handled buddy list messages in the AIM and ICQ protocol handlers. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4601) Thijs Alkemade discovered that Pidgin incorrectly handled malformed voice and video chat requests in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4602) Diego Bauche Madero discovered that Pidgin incorrectly handled UTF-8 sequences in the SILC protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4603) Julia Lawall discovered that Pidgin incorrectly cleared memory contents used in cryptographic operations. An attacker could exploit this to read the memory contents, leading to an information disclosure. This issue only affected Ubuntu 10.04 LTS. (CVE-2011-4922) Clemens Huebner and Kevin Stange discovered that Pidgin incorrectly handled nickname changes inside chat rooms in the XMPP protocol handler. A remote attacker could exploit this by changing nicknames, leading to a denial of service. This issue only affected Ubuntu 11.10. (CVE-2011-4939) Thijs Alkemade discovered that Pidgin incorrectly handled off-line instant messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2012-1178) Jose Valentin Gutierrez discovered that Pidgin incorrectly handled SOCKS5 proxy connections during file transfer requests in the XMPP protocol handler. A remote attacker could send a specially crafted request and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 12.04 LTS and 11.10. (CVE-2012-2214) Fabian Yamaguchi discovered that Pidgin incorrectly handled malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2012-2318) Ulf Harnhammar discovered that Pidgin incorrectly handled messages with in-line images in the MXit protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2012-3374). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 59903 published 2012-07-10 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59903 title Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : pidgin vulnerabilities (USN-1500-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-1102.NASL description Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. A flaw was found in the way the Pidgin MSN protocol plug-in processed text that was not encoded in UTF-8. A remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN message. (CVE-2012-1178) An input validation flaw was found in the way the Pidgin MSN protocol plug-in handled MSN notification messages. A malicious server or a remote attacker could use this flaw to crash Pidgin by sending a specially crafted MSN notification message. (CVE-2012-2318) A buffer overflow flaw was found in the Pidgin MXit protocol plug-in. A remote attacker could use this flaw to crash Pidgin by sending a MXit message containing specially crafted emoticon tags. (CVE-2012-3374) Red Hat would like to thank the Pidgin project for reporting the CVE-2012-3374 issue. Upstream acknowledges Ulf Harnhammar as the original reporter of CVE-2012-3374. All Pidgin users should upgrade to these updated packages, which contain backported patches to resolve these issues. Pidgin must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 60076 published 2012-07-20 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60076 title RHEL 5 / 6 : pidgin (RHSA-2012:1102) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2012-029.NASL description Multiple vulnerabilities has been discovered and corrected in pidgin : The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room (CVE-2011-4939). The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding (CVE-2012-1178). This update provides pidgin 2.10.2, which is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 61945 published 2012-09-06 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61945 title Mandriva Linux Security Advisory : pidgin (MDVSA-2012:029)
Oval
| accepted | 2013-09-30T04:00:48.332-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| definition_extensions |
| ||||
| description | The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding. | ||||
| family | windows | ||||
| id | oval:org.mitre.oval:def:18019 | ||||
| status | accepted | ||||
| submitted | 2013-08-16T15:36:10.221-04:00 | ||||
| title | The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding | ||||
| version | 4 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://developer.pidgin.im/ticket/14884
- http://developer.pidgin.im/viewmtn/revision/diff/60f8379d0a610538cf42e0dd9ab1436c8b9308cd/with/3053d6a37cc6d8774aba7607b992a4408216adcd/libpurple/protocols/msn/oim.c
- http://developer.pidgin.im/viewmtn/revision/info/3053d6a37cc6d8774aba7607b992a4408216adcd
- http://pidgin.im/news/security/?id=61
- http://rhn.redhat.com/errata/RHSA-2012-1102.html
- http://secunia.com/advisories/50005
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:029
- http://www.securityfocus.com/bid/52475
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18019