Vulnerabilities > CVE-2013-0271 - Arbitrary File Overwrite vulnerability in Pidgin 'Libpurple'

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The text description of this plugin is (C) Novell, Inc.
#

include("compat.inc");

if (description)
{
  script_id(65026);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2013-0271", "CVE-2013-0272", "CVE-2013-0273", "CVE-2013-0274");

  script_name(english:"SuSE 10 Security Update : pidgin (ZYPP Patch Number 8475)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 10 host is missing a security-related patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"pidgin was updated to fix 4 security issues :

  - Fixed a crash when receiving UPnP responses with
    abnormally long values. (CVE-2013-0274, bnc#804742)

  - Fixed a crash in Sametime protocol when a malicious
    server sends us an abnormally long user ID.
    (CVE-2013-0273, bnc#804742)

  - Fixed a bug where the MXit server or a man-in-the-middle
    could potentially send specially crafted data that could
    overflow a buffer and lead to a crash or remote code
    execution. (CVE-2013-0272, bnc#804742)

  - Fixed a bug where a remote MXit user could possibly
    specify a local file path to be written to.
    (CVE-2013-0271, bnc#804742)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-0271.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-0272.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-0273.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-0274.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 8475.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2013/02/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/05");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented.");


flag = 0;
if (rpm_check(release:"SLED10", sp:4, reference:"finch-2.6.6-0.20.1")) flag++;
if (rpm_check(release:"SLED10", sp:4, reference:"libpurple-2.6.6-0.20.1")) flag++;
if (rpm_check(release:"SLED10", sp:4, reference:"pidgin-2.6.6-0.20.1")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else exit(0, "The host is not affected.");

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Oracle Third Party software advisories.
#
include("compat.inc");

if (description)
{
  script_id(80740);
  script_version("1.2");
  script_cvs_date("Date: 2018/11/15 20:50:25");

  script_cve_id("CVE-2012-6152", "CVE-2013-0271", "CVE-2013-0272", "CVE-2013-0273", "CVE-2013-0274", "CVE-2013-6477", "CVE-2013-6478", "CVE-2013-6479", "CVE-2013-6481", "CVE-2013-6482", "CVE-2013-6483", "CVE-2013-6484", "CVE-2013-6485", "CVE-2013-6486", "CVE-2013-6487", "CVE-2013-6489", "CVE-2013-6490", "CVE-2014-0020");

  script_name(english:"Oracle Solaris Third-Party Patch Update : pidgin (multiple_vulnerabilities_in_pidgin2)");
  script_summary(english:"Check for the 'entire' version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Solaris system is missing a security patch for third-party
software."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote Solaris system is missing necessary patches to address
security updates :

  - The Yahoo! protocol plugin in libpurple in Pidgin before
    2.10.8 does not properly validate UTF-8 data, which
    allows remote attackers to cause a denial of service
    (application crash) via crafted byte sequences.
    (CVE-2012-6152)

  - The MXit protocol plugin in libpurple in Pidgin before
    2.10.7 might allow remote attackers to create or
    overwrite files via a crafted (1) mxit or (2)
    mxit/imagestrips pathname. (CVE-2013-0271)

  - Buffer overflow in http.c in the MXit protocol plugin in
    libpurple in Pidgin before 2.10.7 allows remote servers
    to execute arbitrary code via a long HTTP header.
    (CVE-2013-0272)

  - sametime.c in the Sametime protocol plugin in libpurple
    in Pidgin before 2.10.7 does not properly terminate long
    user IDs, which allows remote servers to cause a denial
    of service (application crash) via a crafted packet.
    (CVE-2013-0273)

  - upnp.c in libpurple in Pidgin before 2.10.7 does not
    properly terminate long strings in UPnP responses, which
    allows remote attackers to cause a denial of service
    (application crash) by leveraging access to the local
    network. (CVE-2013-0274)

  - Multiple integer signedness errors in libpurple in
    Pidgin before 2.10.8 allow remote attackers to cause a
    denial of service (application crash) via a crafted
    timestamp value in an XMPP message. (CVE-2013-6477)

  - gtkimhtml.c in Pidgin before 2.10.8 does not properly
    interact with underlying library support for wide Pango
    layouts, which allows user-assisted remote attackers to
    cause a denial of service (application crash) via a long
    URL that is examined with a tooltip. (CVE-2013-6478)

  - util.c in libpurple in Pidgin before 2.10.8 does not
    properly allocate memory for HTTP responses that are
    inconsistent with the Content-Length header, which
    allows remote HTTP servers to cause a denial of service
    (application crash) via a crafted response.
    (CVE-2013-6479)

  - libpurple/protocols/yahoo/libymsg.c in Pidgin before
    2.10.8 allows remote attackers to cause a denial of
    service (crash) via a Yahoo! P2P message with a crafted
    length field, which triggers a buffer over-read.
    (CVE-2013-6481)

  - Pidgin before 2.10.8 allows remote MSN servers to cause
    a denial of service (NULL pointer dereference and crash)
    via a crafted (1) SOAP response, (2) OIM XML response,
    or (3) Content-Length header. (CVE-2013-6482)

  - The XMPP protocol plugin in libpurple in Pidgin before
    2.10.8 does not properly determine whether the from
    address in an iq reply is consistent with the to address
    in an iq request, which allows remote attackers to spoof
    iq traffic or cause a denial of service (NULL pointer
    dereference and application crash) via a crafted reply.
    (CVE-2013-6483)

  - The STUN protocol implementation in libpurple in Pidgin
    before 2.10.8 allows remote STUN servers to cause a
    denial of service (out-of-bounds write operation and
    application crash) by triggering a socket read error.
    (CVE-2013-6484)

  - Buffer overflow in util.c in libpurple in Pidgin before
    2.10.8 allows remote HTTP servers to cause a denial of
    service (application crash) or possibly have unspecified
    other impact via an invalid chunk-size field in chunked
    transfer-coding data. (CVE-2013-6485)

  - gtkutils.c in Pidgin before 2.10.8 on Windows allows
    user-assisted remote attackers to execute arbitrary
    programs via a message containing a file: URL that is
    improperly handled during construction of an
    explorer.exe command. NOTE: this vulnerability exists
    because of an incomplete fix for CVE-2011-3185.
    (CVE-2013-6486)

  - Integer overflow in libpurple/protocols/gg/lib/http.c in
    the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows
    remote attackers to have an unspecified impact via a
    large Content-Length value, which triggers a buffer
    overflow. (CVE-2013-6487)

  - Integer signedness error in the MXit functionality in
    Pidgin before 2.10.8 allows remote attackers to cause a
    denial of service (segmentation fault) via a crafted
    emoticon value, which triggers an integer overflow and a
    buffer overflow. (CVE-2013-6489)

  - The SIMPLE protocol functionality in Pidgin before
    2.10.8 allows remote attackers to have an unspecified
    impact via a negative Content-Length header, which
    triggers a buffer overflow. (CVE-2013-6490)

  - The IRC protocol plugin in libpurple in Pidgin before
    2.10.8 does not validate argument counts, which allows
    remote IRC servers to cause a denial of service
    (application crash) via a crafted message.
    (CVE-2014-0020)"
  );
  # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?4a913f44"
  );
  # https://blogs.oracle.com/sunsecurity/multiple-vulnerabilities-in-pidgin
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?07a786a5"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade to Solaris 11.2.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:11.2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:pidgin");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/07/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
  script_family(english:"Solaris Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Solaris11/release", "Host/Solaris11/pkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("solaris.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Solaris11/release");
if (isnull(release)) audit(AUDIT_OS_NOT, "Solaris11");
pkg_list = solaris_pkg_list_leaves();
if (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, "Solaris pkg-list packages");

if (empty_or_null(egrep(string:pkg_list, pattern:"^pidgin$"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "pidgin");

flag = 0;

if (solaris_check_release(release:"0.5.11-0.175.2.0.0.0.0", sru:"11.2 SRU 0") > 0) flag++;

if (flag)
{
  error_extra = 'Affected package : pidgin\n' + solaris_get_report2();
  error_extra = ereg_replace(pattern:"version", replace:"OS version", string:error_extra);
  if (report_verbosity > 0) security_hole(port:0, extra:error_extra);
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_PACKAGE_NOT_AFFECTED, "pidgin");

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2013-231.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(74934);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2013-0271", "CVE-2013-0272", "CVE-2013-0273", "CVE-2013-0274");
  script_bugtraq_id(57951, 57952, 57954);

  script_name(english:"openSUSE Security Update : pidgin (openSUSE-SU-2013:0511-1)");
  script_summary(english:"Check for the openSUSE-2013-231 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Pidgin was updated to 2.10.7 to fix various security issues and the
bug that IRC did not work at all in 12.3.

Changes :

  - Add pidgin-irc-sasl.patch: link irc module to SASL.
    Allows the IRC module to be loaded (bnc#806975).

  - Update to version 2.10.7 (bnc#804742) :

  + Alien hatchery :

  - No changes

  + General :

  - The configure script will now exit with status 1 when
    specifying invalid protocol plugins using the

    --with-static-prpls and --with-dynamic-prpls arguments.
    (pidgin.im#15316)

  + libpurple :

  - Fix a crash when receiving UPnP responses with
    abnormally long values. (CVE-2013-0274)

  - Don't link directly to libgcrypt when building with
    GnuTLS support. (pidgin.im#15329)

  - Fix UPnP mappings on routers that return empty
    <URLBase/> elements in their response. (pidgin.im#15373)

  - Tcl plugin uses saner, race-free plugin loading.

  - Fix the Tcl signals-test plugin for savedstatus-changed.
    (pidgin.im#15443)

  + Pidgin :

  - Make Pidgin more friendly to non-X11 GTK+, such as
    MacPorts' +no_x11 variant.

  + Gadu-Gadu :

  - Fix a crash at startup with large contact list. Avatar
    support for buddies will be disabled until 3.0.0.
    (pidgin.im#15226, pidgin.im#14305)

  + IRC :

  - Support for SASL authentication. (pidgin.im#13270)

  - Print topic setter information at channel join.
    (pidgin.im#13317)

  + MSN :

  - Fix SSL certificate issue when signing into MSN for some
    users.

  - Fix a crash when removing a user before its icon is
    loaded. (pidgin.im#15217)

  + MXit :

  - Fix a bug where a remote MXit user could possibly
    specify a local file path to be written to.
    (CVE-2013-0271)

  - Fix a bug where the MXit server or a man-in-the-middle
    could potentially send specially crafted data that could
    overflow a buffer and lead to a crash or remote code
    execution. (CVE-2013-0272)

  - Display farewell messages in a different colour to
    distinguish them from normal messages.

  - Add support for typing notification.

  - Add support for the Relationship Status profile
    attribute.

  - Remove all reference to Hidden Number.

  - Ignore new invites to join a GroupChat if you're already
    joined, or still have a pending invite.

  - The buddy's name was not centered vertically in the
    buddy-list if they did not have a status-message or mood
    set.

  - Fix decoding of font-size changes in the markup of
    received messages.

  - Increase the maximum file size that can be transferred
    to 1 MB.

  - When setting an avatar image, no longer downscale it to
    96x96.

  + Sametime :

  - Fix a crash in Sametime when a malicious server sends us
    an abnormally long user ID. (CVE-2013-0273)

  + Yahoo! :

  - Fix a double-free in profile/picture loading code.
    (pidgin.im#15053)

  - Fix retrieving server-side buddy aliases.
    (pidgin.im#15381)

  + Plugins :

  - The Voice/Video Settings plugin supports using the sndio
    GStreamer backends. (pidgin.im#14414)

  - Fix a crash in the Contact Availability Detection
    plugin. (pidgin.im#15327)

  - Make the Message Notification plugin more friendly to
    non-X11 GTK+, such as MacPorts' +no_x11 variant.

  + Windows-Specific Changes :

  - Compile with secure flags (pidgin.im#15290)

  - Installer downloads GTK+ Runtime and Debug Symbols more
    securely. (pidgin.im#15277)

  - Updates to a number of dependencies, some of which have
    security related fixes. (pidgin.im#14571,
    pidgin.im#15285, pidgin.im#15286) . ATK 1.32.0-2 . Cyrus
    SASL 2.1.25 . expat 2.1.0-1 . freetype 2.4.10-1 .
    gettext 0.18.1.1-2 . Glib 2.28.8-1 . libpng 1.4.12-1 .
    libxml2 2.9.0-1 . NSS 3.13.6 and NSPR 4.9.2 . Pango
    1.29.4-1 . SILC 1.1.10 . zlib 1.2.5-2

  - Patch libmeanwhile (sametime library) to fix crash.
    (pidgin.im#12637)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=804742"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=806975"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://lists.opensuse.org/opensuse-updates/2013-03/msg00080.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected pidgin packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:finch");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:finch-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:finch-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple-branding-upstream");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple-lang");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple-meanwhile");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple-meanwhile-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple-tcl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpurple-tcl-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pidgin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pidgin-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pidgin-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:pidgin-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:12.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2013/03/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE12\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "12.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE12.3", reference:"finch-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"finch-debuginfo-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"finch-devel-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-branding-upstream-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-debuginfo-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-devel-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-lang-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-meanwhile-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-meanwhile-debuginfo-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-tcl-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"libpurple-tcl-debuginfo-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"pidgin-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"pidgin-debuginfo-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"pidgin-debugsource-2.10.7-4.4.1") ) flag++;
if ( rpm_check(release:"SUSE12.3", reference:"pidgin-devel-2.10.7-4.4.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pidgin");
}