CVE-2016-2371
https://notcve.org/view.php?id=CVE-2016-2371
An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution. Existe una vulnerabilidad de escritura fuera de límites en el manejo del protocolo MXIT en Pidgin. Datos MXIT especialmente manipulados enviados a través del servidor podría provocar corrupción de memoria resultando en ejecución de código. • http://www.debian.org/security/2016/dsa-3620 http://www.pidgin.im/news/security/?id=104 http://www.securityfocus.com/bid/91335 http://www.talosintelligence.com/reports/TALOS-2016-0139 http://www.ubuntu.com/usn/USN-3031-1 https://security.gentoo.org/glsa/201701-38 • CWE-787: Out-of-bounds Write •
CVE-2014-3697
https://notcve.org/view.php?id=CVE-2014-3697
Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme. Vulnerabilidad de salto de ruta absoluta en la función untar_block en win32/untar.c en Pidgin anterior a 2.10.10 en Windows permite a atacantes remotos escribir a ficheros arbitrarios a través de un nombre drive en un archivo tar de un tema smiley. • http://hg.pidgin.im/pidgin/main/rev/68b8eb10977f http://lists.opensuse.org/opensuse-updates/2014-11/msg00023.html http://lists.opensuse.org/opensuse-updates/2014-11/msg00037.html http://pidgin.im/news/security/?id=89 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2014-3695 – pidgin: crash in Mxit protocol plug-in
https://notcve.org/view.php?id=CVE-2014-3695
markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. markup.c en el plugin de protocolo MXit en libpurple en Pidgin anterior a 2.10.10 permite a servidores remotos causar una denegación de servicio (caída de aplicación) a través de un valor grande de longitud en una respuesta emoticon. A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emoticons. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to crash Pidgin by sending a specially crafted emoticon. • http://hg.pidgin.im/pidgin/main/rev/6436e14bdb9d http://lists.opensuse.org/opensuse-updates/2014-11/msg00023.html http://lists.opensuse.org/opensuse-updates/2014-11/msg00037.html http://pidgin.im/news/security/?id=87 http://secunia.com/advisories/60741 http://secunia.com/advisories/61968 http://www.debian.org/security/2014/dsa-3055 http://www.ubuntu.com/usn/USN-2390-1 https://access.redhat.com/errata/RHSA-2017:1854 https://access.redhat.com/security/cve/CVE-201 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2014-3696 – pidgin: denial of service parsing Groupwise server message
https://notcve.org/view.php?id=CVE-2014-3696
nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. nmevent.c en el plugin del protocolo Novell GroupWise en libpurple en Pidgin anterior a 2.10.10 permite a servidores remotos causar una denegación de servicio (caída de aplicación) a través de un mensaje del servidor manipulado que provoca una reserva grande de memoria. A denial of service flaw was found in the way Pidgin parsed Groupwise server messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to cause Pidgin to consume an excessive amount of memory, possibly leading to a crash, by sending a specially crafted message. • http://hg.pidgin.im/pidgin/main/rev/44fd89158777 http://lists.opensuse.org/opensuse-updates/2014-11/msg00023.html http://lists.opensuse.org/opensuse-updates/2014-11/msg00037.html http://pidgin.im/news/security/?id=88 http://secunia.com/advisories/60741 http://secunia.com/advisories/61968 http://www.debian.org/security/2014/dsa-3055 http://www.ubuntu.com/usn/USN-2390-1 https://access.redhat.com/errata/RHSA-2017:1854 https://access.redhat.com/security/cve/CVE-201 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2014-3694 – pidgin: SSL/TLS plug-ins failed to check Basic Constraints
https://notcve.org/view.php?id=CVE-2014-3694
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. (1) El plugin bundled GnuTLS SSL/TLS y (2) el plugin bundled OpenSSL SSL/TLS en libpurple en Pidgin anterior a 2.10.10 no consideran debidamente la extensión Basic Constraints durante la verificación de los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle suplantar servidores y obtener información sensible a través de un certificado manipulado. It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. An attacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin. • http://hg.pidgin.im/pidgin/main/rev/2e4475087f04 http://lists.opensuse.org/opensuse-updates/2014-11/msg00023.html http://lists.opensuse.org/opensuse-updates/2014-11/msg00037.html http://pidgin.im/news/security/?id=86 http://secunia.com/advisories/60741 http://secunia.com/advisories/61968 http://www.debian.org/security/2014/dsa-3055 http://www.ubuntu.com/usn/USN-2390-1 https://access.redhat.com/errata/RHSA-2017:1854 https://access.redhat.com/security/cve/CVE-201 • CWE-295: Improper Certificate Validation CWE-310: Cryptographic Issues •