SB2014102903 - Multiple vulnerabilities in pidgin.im Pidgin

Security Bulletin ID SB2014102903

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 4

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 4 vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2014-3695)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response.

2) Buffer overflow (CVE-ID: CVE-2014-3696)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation.

3) Path traversal (CVE-ID: CVE-2014-3697)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme.

4) Information disclosure (CVE-ID: CVE-2014-3698)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message.

Remediation

Install update from vendor's website.

SB2014102903 - Multiple vulnerabilities in pidgin.im Pidgin

Breakdown by Severity

Description

Remediation

References

Please verify you're human