Pidgin: Multiple vulnerabilities
Multiple vulnerabilities have been discovered in Pidgin, allowing for
remote arbitrary code execution, Denial of Service and service spoofing.
pidgin
January 20, 2009
January 20, 2009: 01
230045
234135
remote
2.5.1
2.5.1
Pidgin (formerly Gaim) is an instant messaging client for a variety of
instant messaging protocols. It is based on the libpurple instant
messaging library.
Multiple vulnerabilities have been discovered in Pidgin and the
libpurple library:
-
A participant to the TippingPoint ZDI reported multiple integer
overflows in the msn_slplink_process_msg() function in the MSN protocol
implementation (CVE-2008-2927).
-
Juan Pablo Lopez Yacubian is credited for reporting a use-after-free
flaw in msn_slplink_process_msg() in the MSN protocol implementation
(CVE-2008-2955).
-
The included UPnP server does not limit the size of data to be
downloaded for UPnP service discovery, according to a report by Andrew
Hunt and Christian Grothoff (CVE-2008-2957).
-
Josh Triplett discovered that the NSS plugin for libpurple does not
properly verify SSL certificates (CVE-2008-3532).
A remote attacker could send specially crafted messages or files using
the MSN protocol which could result