Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client: CVE-2013-6477 Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future. CVE-2013-6478 Pidgin could be crashed through overly wide tooltip windows. CVE-2013-6479 Jacob Appelbaum discovered that a malicious server or a man in the middle could send a malformed HTTP header resulting in denial of service. CVE-2013-6481 Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages. CVE-2013-6482 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages. CVE-2013-6483 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages. CVE-2013-6484 It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash. CVE-2013-6485 Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses. CVE-2013-6487 Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages. CVE-2013-6489 Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons. CVE-2013-6490 Yves Younan discovered a buffer overflow when parsing SIMPLE headers. CVE-2014-0020 Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments. For the oldstable distribution (squeeze), no direct backport is provided. A fixed package will be provided through backports.debian.org shortly. For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2.10.9-1. We recommend that you upgrade your pidgin packages.
Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client:
Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future.
Pidgin could be crashed through overly wide tooltip windows.
Jacob Appelbaum discovered that a malicious server or a man in the
middle
could send a malformed HTTP header resulting in denial of
service.
Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages.
Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages.
Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages.
It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash.
Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses.
Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages.
Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons.
Yves Younan discovered a buffer overflow when parsing SIMPLE headers.
Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments.
For the oldstable distribution (squeeze), no direct backport is provided. A fixed package will be provided through backports.debian.org shortly.
For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1.
For the unstable distribution (sid), these problems have been fixed in version 2.10.9-1.
We recommend that you upgrade your pidgin packages.