Vulnerabilities > CVE-2012-2214 - Resource Management Errors vulnerability in Pidgin
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_FINCH-120515.NASL description Various remote triggerable crashes in pidgin have been fixed : - In some situations the MSN server sends text that isn last seen 2020-06-05 modified 2013-01-25 plugin id 64128 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64128 title SuSE 11.1 Security Update : finch, libpurple and pidgin (SAT Patch Number 6294) NASL family SuSE Local Security Checks NASL id SUSE_FINCH-8131.NASL description Various remote triggerable crashes in pidgin have been fixed : - In some situations the MSN server sends text that isn last seen 2020-06-05 modified 2012-06-25 plugin id 59682 published 2012-06-25 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59682 title SuSE 10 Security Update : finch, libpurple, and pidgin (ZYPP Patch Number 8131) NASL family Fedora Local Security Checks NASL id FEDORA_2012-8686.NASL description Fix for CVE-2012-2214 and CVE-2012-2318. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-06-11 plugin id 59435 published 2012-06-11 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59435 title Fedora 16 : pidgin-2.10.4-1.fc16 (2012-8686) NASL family Windows NASL id PIDGIN_2_10_4.NASL description The version of Pidgin installed on the remote host is earlier than 2.10.4 and is, therefore, potentially affected by the following issues : - An error exists in the file last seen 2020-06-01 modified 2020-06-02 plugin id 59317 published 2012-05-31 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59317 title Pidgin < 2.10.4 Multiple DoS Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_FINCH-120516.NASL description Various remote triggerable crashes in pidgin have been fixed : - In some situations the MSN server sends text that isn last seen 2020-06-05 modified 2013-01-25 plugin id 64129 published 2013-01-25 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64129 title SuSE 11.1 Security Update : finch, libpurple and pidgin (SAT Patch Number 6294) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_64F8B72D9C4E11E19C94000BCDF0A03B.NASL description Pidgin reports : A series of specially crafted file transfer requests can cause clients to reference invalid memory. The user must have accepted one of the file transfer requests. last seen 2020-06-01 modified 2020-06-02 plugin id 59085 published 2012-05-14 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59085 title FreeBSD : libpurple -- Invalid memory dereference in the XMPP protocol plug-in by processing a series of specially crafted file transfer requests (64f8b72d-9c4e-11e1-9c94-000bcdf0a03b) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1500-1.NASL description Evgeny Boger discovered that Pidgin incorrectly handled buddy list messages in the AIM and ICQ protocol handlers. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4601) Thijs Alkemade discovered that Pidgin incorrectly handled malformed voice and video chat requests in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4602) Diego Bauche Madero discovered that Pidgin incorrectly handled UTF-8 sequences in the SILC protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2011-4603) Julia Lawall discovered that Pidgin incorrectly cleared memory contents used in cryptographic operations. An attacker could exploit this to read the memory contents, leading to an information disclosure. This issue only affected Ubuntu 10.04 LTS. (CVE-2011-4922) Clemens Huebner and Kevin Stange discovered that Pidgin incorrectly handled nickname changes inside chat rooms in the XMPP protocol handler. A remote attacker could exploit this by changing nicknames, leading to a denial of service. This issue only affected Ubuntu 11.10. (CVE-2011-4939) Thijs Alkemade discovered that Pidgin incorrectly handled off-line instant messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS, 11.04 and 11.10. (CVE-2012-1178) Jose Valentin Gutierrez discovered that Pidgin incorrectly handled SOCKS5 proxy connections during file transfer requests in the XMPP protocol handler. A remote attacker could send a specially crafted request and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 12.04 LTS and 11.10. (CVE-2012-2214) Fabian Yamaguchi discovered that Pidgin incorrectly handled malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2012-2318) Ulf Harnhammar discovered that Pidgin incorrectly handled messages with in-line images in the MXit protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2012-3374). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 59903 published 2012-07-10 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59903 title Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : pidgin vulnerabilities (USN-1500-1) NASL family Fedora Local Security Checks NASL id FEDORA_2012-8669.NASL description Fix for CVE-2012-2214 and CVE-2012-2318. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-06-11 plugin id 59433 published 2012-06-11 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59433 title Fedora 15 : pidgin-2.10.4-1.fc15 (2012-8669) NASL family Solaris Local Security Checks NASL id SOLARIS11_PIDGIN_20121009.NASL description The remote Solaris system is missing necessary patches to address security updates : - proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests. (CVE-2012-2214) - msg.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.4 does not properly handle crafted characters, which allows remote servers to cause a denial of service (application crash) by placing these characters in a text/ plain message. (CVE-2012-2318) last seen 2020-06-01 modified 2020-06-02 plugin id 80738 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80738 title Oracle Solaris Third-Party Patch Update : pidgin (multiple_vulnerabilities_in_pidgin) NASL family Fedora Local Security Checks NASL id FEDORA_2012-8687.NASL description Fix for CVE-2012-2214 and CVE-2012-2318. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-06-04 plugin id 59353 published 2012-06-04 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59353 title Fedora 17 : pidgin-2.10.4-1.fc17 (2012-8687) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2012-082.NASL description Multiple vulnerabilities has been discovered and corrected in pidgin : A series of specially crafted file transfer requests can cause clients to reference invalid memory. The user must have accepted one of the file transfer requests (CVE-2012-2214). Incoming messages with certain characters or character encodings can cause clients to crash (CVE-2012-2318). This update provides pidgin 2.10.4, which is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 61954 published 2012-09-06 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/61954 title Mandriva Linux Security Advisory : pidgin (MDVSA-2012:082)
Oval
| accepted | 2013-09-30T04:00:42.572-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| definition_extensions |
| ||||
| description | proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests. | ||||
| family | windows | ||||
| id | oval:org.mitre.oval:def:17886 | ||||
| status | accepted | ||||
| submitted | 2013-08-16T15:36:10.221-04:00 | ||||
| title | proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests | ||||
| version | 4 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 53706 CVE ID: CVE-2012-2214 Pidgin是一款多合一世界主流即时通讯软件集成工具。 Pidgin 2.10.4之前版本在处理一系列特制的文件传输请求时刻造成客户端引用无效内存,用户接受了其中一个文件传输请求后,可造成受影响应用崩溃。 0 Pidgin <2.10.4 厂商补丁: Pidgin ------ Pidgin已经为此发布了一个安全公告(CVE-2012-2214)以及相应补丁: CVE-2012-2214:XMPP remote crash 链接:http://www.pidgin.im/news/security/?id=62 |
| id | SSV:60183 |
| last seen | 2017-11-19 |
| modified | 2012-06-05 |
| published | 2012-06-05 |
| reporter | Root |
| title | Pidgin <2.10.4 XMPP协议文件传输请求处理远程拒绝服务漏洞 |
References
- http://hg.pidgin.im/pidgin/main/rev/5f9d676cefdb
- http://hg.pidgin.im/pidgin/main/rev/5f9d676cefdb
- http://pidgin.im/news/security/?id=62
- http://pidgin.im/news/security/?id=62
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:082
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:082
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17886
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17886