
CVE-2014-3694 – pidgin: SSL/TLS plug-ins failed to check Basic Constraints
https://notcve.org/view.php?id=CVE-2014-3694
24 Oct 2014 — The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. (1) El plugin bundled GnuTLS SSL/TLS y (2) el plugin bundled OpenSSL SSL/TLS en libpurple en Pidgin anterior a 2.10.10 no consideran debidamente la extensión ... • http://hg.pidgin.im/pidgin/main/rev/2e4475087f04 • CWE-295: Improper Certificate Validation CWE-310: Cryptographic Issues •

CVE-2014-3697 – Slackware Security Advisory - pidgin Updates
https://notcve.org/view.php?id=CVE-2014-3697
24 Oct 2014 — Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme. Vulnerabilidad de salto de ruta absoluta en la función untar_block en win32/untar.c en Pidgin anterior a 2.10.10 en Windows permite a atacantes remotos escribir a ficheros arbitrarios a través de un nombre drive en un archivo tar de un tema smiley. New pidgin packages are available for S... • http://hg.pidgin.im/pidgin/main/rev/68b8eb10977f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2014-3695 – pidgin: crash in Mxit protocol plug-in
https://notcve.org/view.php?id=CVE-2014-3695
24 Oct 2014 — markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. markup.c en el plugin de protocolo MXit en libpurple en Pidgin anterior a 2.10.10 permite a servidores remotos causar una denegación de servicio (caída de aplicación) a través de un valor grande de longitud en una respuesta emoticon. A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emotic... • http://hg.pidgin.im/pidgin/main/rev/6436e14bdb9d • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVE-2014-3698 – pidgin: remote information leak via crafted XMPP message
https://notcve.org/view.php?id=CVE-2014-3698
24 Oct 2014 — The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message. La función jabber_idn_validate en jutil.c en el plugin de protocolo Jabber en libpurple en Pidgin anterior a 2.10.10 permite a atacantes remotos obtener información sensible de la memoria de procesos a través de un mensaje XMPP manipulado. An information disclosure flaw was discovered in the way... • http://hg.pidgin.im/pidgin/main/rev/ea46ab68f0dc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •

CVE-2014-3696 – pidgin: denial of service parsing Groupwise server message
https://notcve.org/view.php?id=CVE-2014-3696
24 Oct 2014 — nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. nmevent.c en el plugin del protocolo Novell GroupWise en libpurple en Pidgin anterior a 2.10.10 permite a servidores remotos causar una denegación de servicio (caída de aplicación) a través de un mensaje del servidor manipulado que provoca una reserva grande de memoria. A denial of ... • http://hg.pidgin.im/pidgin/main/rev/44fd89158777 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2013-6481 – pidgin: DoS caused due to OOB read in Yahoo protocol plugin
https://notcve.org/view.php?id=CVE-2013-6481
04 Feb 2014 — libpurple/protocols/yahoo/libymsg.c in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (crash) via a Yahoo! P2P message with a crafted length field, which triggers a buffer over-read. libpurple/protocols/yahoo/libymsg.c en Pidgin anterior a 2.10.8 permite a atacantes remotos causar una denegación de servicio (caída) a través de un mensaje Yahoo! P2P con un campo "length" manipulado, lo que provoca una sobre-lectura del buffer. The Yahoo! protocol plugin in libpurple in Pidgin befor... • http://hg.pidgin.im/pidgin/main/rev/4d139ce8f7ec • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •

CVE-2013-6487 – pidgin: Heap-based buffer overflow in Gadu-Gadu protocol plugin
https://notcve.org/view.php?id=CVE-2013-6487
04 Feb 2014 — Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow. Desbordamiento de entero en libpurple/protocols/gg/lib/http.c en el analizador Gadu-Gadu (gg) en Pidgin anterior a 2.10.8 permite a atacantes remotos tener un impacto no especificado a través de un valor Content-Length largo, lo que provoca un desbordamiento de buffer. The Yahoo! pr... • http://advisories.mageia.org/MGASA-2014-0074.html • CWE-122: Heap-based Buffer Overflow CWE-189: Numeric Errors •

CVE-2012-6152 – pidgin: DoS when decoding non-UTF-8 strings in Yahoo protocol plugin
https://notcve.org/view.php?id=CVE-2012-6152
04 Feb 2014 — The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, which allows remote attackers to cause a denial of service (application crash) via crafted byte sequences. El plugin del protocolo de Yahoo! en libpurple en Pidgin anterior a 2.10.8 no valida debidamente datos UTF-8, lo que permite a atacantes remotos causar una denegación de servicio (caída de la aplicación) a través de secuencias de bytes manipuladas. The Yahoo! • http://hg.pidgin.im/pidgin/main/rev/b0345c25f886 • CWE-20: Improper Input Validation CWE-172: Encoding Error •

CVE-2013-6485 – pidgin: Heap-based buffer overflow when parsing chunked HTTP responses
https://notcve.org/view.php?id=CVE-2013-6485
04 Feb 2014 — Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows remote HTTP servers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid chunk-size field in chunked transfer-coding data. Desbordamiento de buffer en util.c en libpurple en Pidgin anterior a 2.10.8 permite a servidores HTTP remotos causar una denegación de servicio (caída de la aplicación) o posiblemente tener otro impacto no especificado a través del campo de tamaño de fragmento en da... • http://hg.pidgin.im/pidgin/main/rev/c9e5aba2dafd • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •

CVE-2013-6489 – pidgin: Heap-based buffer overflow in MXit emoticon parsing
https://notcve.org/view.php?id=CVE-2013-6489
04 Feb 2014 — Integer signedness error in the MXit functionality in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (segmentation fault) via a crafted emoticon value, which triggers an integer overflow and a buffer overflow. Error de signo de enteros en la funcionalidad MXit en Pidgin anterior a 2.10.8 permite a atacantes remotos causar una denegación de servicio (fallo de segmentación) a través de un valor manipulado de emoticono, lo que provoca un desbordamiento de entero y desbordamiento de b... • http://hg.pidgin.im/pidgin/main/rev/4c897372b5a4 • CWE-122: Heap-based Buffer Overflow CWE-189: Numeric Errors •