Input validation error in pidgin.im Pidgin



| Updated: 2020-07-28
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2011-1091
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Pidgin
Client/Desktop applications / Messaging software

Vendor pidgin.im

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU32837

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2011-1091

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows (1) remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a malformed YMSG notification packet, and allows (2) remote Yahoo! servers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference and application crash) via a malformed YMSG SMS message.

Mitigation

Update to version 2.7.11.

Vulnerable software versions

Pidgin: 2.6.0 - 2.7.10

CPE2.3 External links

https://developer.pidgin.im/viewmtn/revision/diff/5cbe18129b6e7c660bc093f7e5e1414ceca17d04/with/a7c415abba1f5f01f79295337518837f73d99bb7/libpurple/protocols/yahoo/libymsg.c
https://developer.pidgin.im/viewmtn/revision/info/a7c415abba1f5f01f79295337518837f73d99bb7
https://lists.fedoraproject.org/pipermail/package-announce/2011-March/055874.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-March/056309.html
https://secunia.com/advisories/43695
https://secunia.com/advisories/43721
https://secunia.com/advisories/46376
https://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.466884
https://www.pidgin.im/news/security/?id=51
https://www.redhat.com/support/errata/RHSA-2011-0616.html
https://www.redhat.com/support/errata/RHSA-2011-1371.html
https://www.securityfocus.com/bid/46837
https://www.vupen.com/english/advisories/2011/0643
https://www.vupen.com/english/advisories/2011/0661
https://www.vupen.com/english/advisories/2011/0669
https://www.vupen.com/english/advisories/2011/0703
https://bugzilla.redhat.com/show_bug.cgi?id=683031
https://exchange.xforce.ibmcloud.com/vulnerabilities/66055
https://hermes.opensuse.org/messages/13195955
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18402


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###