Adium vs pidgin1/29/2024 A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.ħ Debian Linux, Pidgin, Enterprise Linux Desktop and 4 moreĪn out-of-bounds write flaw was found in the way Pidgin before 2.12.0 processed XML content. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. NOTE: this issue has been disputed by the upstream vendor, who states: "I was never able to identify a scenario under which a problem occurred and the original reporter wasn't able to supply any sort of reproduction details."Īn issue was discovered in Pidgin before 2.14.9. ** DISPUTED ** Memory leak in Pidgin 2.0.0, and possibly other versions, allows remote attackers to cause a denial of service (memory consumption) via malformed XML documents. NOTE: some of these details are obtained from third party information. Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955.īuffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (formerly Gaim) before 2.5.6 allows remote authenticated users to execute arbitrary code via vectors involving an outbound XMPP file transfer. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927. Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. Libymsg.c in the Yahoo! protocol plugin in libpurple in Pidgin 2.6.0 through 2.7.10 allows (1) remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a malformed YMSG notification packet, and allows (2) remote Yahoo! servers to cause a denial of service (NULL pointer dereference and application crash) via a malformed YMSG SMS message.ĭirectory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a. The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a custom emoticon in a malformed SLP message.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |