Synopsis: Moderate: pidgin security update Advisory ID: SLSA-2014:0139-1 Issue Date: 2014-02-05 CVE Numbers: CVE-2012-6152 CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020 -- A heap-based buffer overflow flaw was found in the way Pidgin processed certain HTTP responses. A malicious server could send a specially crafted HTTP response, causing Pidgin to crash or potentially execute arbitrary code with the permissions of the user running Pidgin. (CVE-2013-6485) Multiple heap-based buffer overflow flaws were found in several protocol plug-ins in Pidgin (Gadu-Gadu, MXit, SIMPLE). A malicious server could send a specially crafted message, causing Pidgin to crash or potentially execute arbitrary code with the permissions of the user running Pidgin. (CVE-2013-6487, CVE-2013-6489, CVE-2013-6490) Multiple denial of service flaws were found in several protocol plug-ins in Pidgin (Yahoo!, XMPP, MSN, stun, IRC). A remote attacker could use these flaws to crash Pidgin by sending a specially crafted message. (CVE-2012-6152, CVE-2013-6477, CVE-2013-6481, CVE-2013-6482, CVE-2013-6484, CVE-2014-0020) It was found that the Pidgin XMPP protocol plug-in did not verify the origin of "iq" replies. A remote attacker could use this flaw to spoof an "iq" reply, which could lead to injection of fake data or cause Pidgin to crash via a NULL pointer dereference. (CVE-2013-6483) A flaw was found in the way Pidgin parsed certain HTTP response headers. A remote attacker could use this flaw to crash Pidgin via a specially crafted HTTP response header. (CVE-2013-6479) It was found that Pidgin crashed when a mouse pointer was hovered over a long URL. A remote attacker could use this flaw to crash Pidgin by sending a message containing a long URL string. (CVE-2013-6478) Pidgin must be restarted for this update to take effect. -- SL5 x86_64 finch-2.6.6-32.el5.i386.rpm finch-2.6.6-32.el5.x86_64.rpm libpurple-2.6.6-32.el5.i386.rpm libpurple-2.6.6-32.el5.x86_64.rpm libpurple-perl-2.6.6-32.el5.x86_64.rpm libpurple-tcl-2.6.6-32.el5.x86_64.rpm pidgin-2.6.6-32.el5.i386.rpm pidgin-2.6.6-32.el5.x86_64.rpm pidgin-debuginfo-2.6.6-32.el5.i386.rpm pidgin-debuginfo-2.6.6-32.el5.x86_64.rpm pidgin-perl-2.6.6-32.el5.x86_64.rpm finch-devel-2.6.6-32.el5.i386.rpm finch-devel-2.6.6-32.el5.x86_64.rpm libpurple-devel-2.6.6-32.el5.i386.rpm libpurple-devel-2.6.6-32.el5.x86_64.rpm pidgin-devel-2.6.6-32.el5.i386.rpm pidgin-devel-2.6.6-32.el5.x86_64.rpm i386 finch-2.6.6-32.el5.i386.rpm libpurple-2.6.6-32.el5.i386.rpm libpurple-perl-2.6.6-32.el5.i386.rpm libpurple-tcl-2.6.6-32.el5.i386.rpm pidgin-2.6.6-32.el5.i386.rpm pidgin-debuginfo-2.6.6-32.el5.i386.rpm pidgin-perl-2.6.6-32.el5.i386.rpm finch-devel-2.6.6-32.el5.i386.rpm libpurple-devel-2.6.6-32.el5.i386.rpm pidgin-devel-2.6.6-32.el5.i386.rpm SL6 x86_64 libpurple-2.7.9-27.el6.i686.rpm libpurple-2.7.9-27.el6.x86_64.rpm pidgin-2.7.9-27.el6.x86_64.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.x86_64.rpm finch-2.7.9-27.el6.i686.rpm finch-2.7.9-27.el6.x86_64.rpm finch-devel-2.7.9-27.el6.i686.rpm finch-devel-2.7.9-27.el6.x86_64.rpm libpurple-devel-2.7.9-27.el6.i686.rpm libpurple-devel-2.7.9-27.el6.x86_64.rpm libpurple-perl-2.7.9-27.el6.x86_64.rpm libpurple-tcl-2.7.9-27.el6.x86_64.rpm pidgin-devel-2.7.9-27.el6.i686.rpm pidgin-devel-2.7.9-27.el6.x86_64.rpm pidgin-docs-2.7.9-27.el6.x86_64.rpm pidgin-perl-2.7.9-27.el6.x86_64.rpm i386 libpurple-2.7.9-27.el6.i686.rpm pidgin-2.7.9-27.el6.i686.rpm pidgin-debuginfo-2.7.9-27.el6.i686.rpm finch-2.7.9-27.el6.i686.rpm finch-devel-2.7.9-27.el6.i686.rpm libpurple-devel-2.7.9-27.el6.i686.rpm libpurple-perl-2.7.9-27.el6.i686.rpm libpurple-tcl-2.7.9-27.el6.i686.rpm pidgin-devel-2.7.9-27.el6.i686.rpm pidgin-docs-2.7.9-27.el6.i686.rpm pidgin-perl-2.7.9-27.el6.i686.rpm - Scientific Linux Development Team