
CVE-2014-3696 – pidgin: denial of service parsing Groupwise server message
https://notcve.org/view.php?id=CVE-2014-3696
24 Oct 2014 — nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. nmevent.c en el plugin del protocolo Novell GroupWise en libpurple en Pidgin anterior a 2.10.10 permite a servidores remotos causar una denegación de servicio (caída de aplicación) a través de un mensaje del servidor manipulado que provoca una reserva grande de memoria. A denial of ... • http://hg.pidgin.im/pidgin/main/rev/44fd89158777 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •

CVE-2014-3698 – pidgin: remote information leak via crafted XMPP message
https://notcve.org/view.php?id=CVE-2014-3698
24 Oct 2014 — The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message. La función jabber_idn_validate en jutil.c en el plugin de protocolo Jabber en libpurple en Pidgin anterior a 2.10.10 permite a atacantes remotos obtener información sensible de la memoria de procesos a través de un mensaje XMPP manipulado. An information disclosure flaw was discovered in the way... • http://hg.pidgin.im/pidgin/main/rev/ea46ab68f0dc • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •

CVE-2014-3694 – pidgin: SSL/TLS plug-ins failed to check Basic Constraints
https://notcve.org/view.php?id=CVE-2014-3694
24 Oct 2014 — The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. (1) El plugin bundled GnuTLS SSL/TLS y (2) el plugin bundled OpenSSL SSL/TLS en libpurple en Pidgin anterior a 2.10.10 no consideran debidamente la extensión ... • http://hg.pidgin.im/pidgin/main/rev/2e4475087f04 • CWE-295: Improper Certificate Validation CWE-310: Cryptographic Issues •

CVE-2014-3697 – Slackware Security Advisory - pidgin Updates
https://notcve.org/view.php?id=CVE-2014-3697
24 Oct 2014 — Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme. Vulnerabilidad de salto de ruta absoluta en la función untar_block en win32/untar.c en Pidgin anterior a 2.10.10 en Windows permite a atacantes remotos escribir a ficheros arbitrarios a través de un nombre drive en un archivo tar de un tema smiley. New pidgin packages are available for S... • http://hg.pidgin.im/pidgin/main/rev/68b8eb10977f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2014-3695 – pidgin: crash in Mxit protocol plug-in
https://notcve.org/view.php?id=CVE-2014-3695
24 Oct 2014 — markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. markup.c en el plugin de protocolo MXit en libpurple en Pidgin anterior a 2.10.10 permite a servidores remotos causar una denegación de servicio (caída de aplicación) a través de un valor grande de longitud en una respuesta emoticon. A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emotic... • http://hg.pidgin.im/pidgin/main/rev/6436e14bdb9d • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVE-2013-6482 – pidgin: DoS via multiple null pointer dereferences in MSN protocol plugin
https://notcve.org/view.php?id=CVE-2013-6482
04 Feb 2014 — Pidgin before 2.10.8 allows remote MSN servers to cause a denial of service (NULL pointer dereference and crash) via a crafted (1) SOAP response, (2) OIM XML response, or (3) Content-Length header. Pidgin anterior a 2.10.8 permite a servidores MSN remotos causar una denegación de servicio (referencia a puntero nulo y caída) a través de (1) una respuesta SOAP, (2) respuesta OIM XML o (3) cabecera Content-Length manipuladas. The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly val... • http://lists.opensuse.org/opensuse-updates/2014-02/msg00039.html • CWE-20: Improper Input Validation CWE-476: NULL Pointer Dereference •

CVE-2013-6490 – pidgin: Heap-based buffer overflow in SIMPLE protocol plugin
https://notcve.org/view.php?id=CVE-2013-6490
04 Feb 2014 — The SIMPLE protocol functionality in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a negative Content-Length header, which triggers a buffer overflow. La funcionalidad del protocolo SIMPLE en Pidgin anterior a 2.10.8 permite a atacantes remotos tener un impacto no especificado a través de una cabecera Content-Length negativo, lo que provoca un desbordamiento de buffer. The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, whic... • https://github.com/Everdoh/CVE-2013-6490 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •

CVE-2013-6479 – pidgin: DoS when parsing certain HTTP response headers
https://notcve.org/view.php?id=CVE-2013-6479
04 Feb 2014 — util.c in libpurple in Pidgin before 2.10.8 does not properly allocate memory for HTTP responses that are inconsistent with the Content-Length header, which allows remote HTTP servers to cause a denial of service (application crash) via a crafted response. util.c en libpurple en Pidgin anterior a 2.10.8 no reserva correctamente la memoria para las respuestas HTTP que son inconsistentes con la cabecera Content-Length, lo que permite a servidores HTTP remotos causar una denegación de servicio (caída de la apl... • http://hg.pidgin.im/pidgin/main/rev/cd529e1158d3 • CWE-399: Resource Management Errors •

CVE-2013-6483 – pidgin: Possible spoofing using iq replies in XMPP protocol plugin
https://notcve.org/view.php?id=CVE-2013-6483
04 Feb 2014 — The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remote attackers to spoof iq traffic or cause a denial of service (NULL pointer dereference and application crash) via a crafted reply. El plugin del protocolo XMPP en libpurple en Pidgin anterior a 2.10.8 no determina adecuadamente si la dirección origen en una respuesta iq es consistente con la dirección destino e... • http://hg.pidgin.im/pidgin/main/rev/93d4bff19574 • CWE-20: Improper Input Validation CWE-290: Authentication Bypass by Spoofing •

CVE-2013-6486 – Mandriva Linux Security Advisory 2014-025
https://notcve.org/view.php?id=CVE-2013-6486
04 Feb 2014 — gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3185. gtkutils.c en Pidgin anterior a 2.10.8 en Windows permite a atacantes remotos asistidos por usuario ejecutar programas arbitrarios a través de un mensaje que contenga un archivo: URL que no es manejada debi... • http://hg.pidgin.im/pidgin/main/rev/b2571530fa8b • CWE-20: Improper Input Validation •