SECURITY BLOG SECURITY DASHBOARD PARTNERS PRODUCTS JOBS SERVICES COMPANY HOME

Network Security Consulting Advisories Article

Pidgin 'msn_oim_report_to_user()' Denial of Service Vulnerability

http://www.securityfocus.com/bid/52475

Security Info

Bugtraq ID:	52475
Class:	Design Error
CVE:	CVE-2012-1178
Remote:	Yes
Local:	No
Published:	Mar 14 2012 12:00AM
Updated:	Jun 22 2012 10:00PM
Credit:	Thijs Alkemade
Vulnerable:	SuSE SUSE Linux Enterprise SDK 11 SP2 SuSE SUSE Linux Enterprise SDK 11 SP1 SuSE SUSE Linux Enterprise SDK 10 SP4 SuSE SUSE Linux Enterprise Desktop 11 SP2 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Desktop 11 SP1 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Desktop 10 SP4 + Linux kernel 2.6.5 Red Hat Fedora 16 Pidgin Pidgin 2.10.1 Pidgin Pidgin 2.9 Pidgin Pidgin 2.8 Pidgin Pidgin 2.7.6 Pidgin Pidgin 2.7.5 Pidgin Pidgin 2.7.4 Pidgin Pidgin 2.7.3 Pidgin Pidgin 2.7.2 Pidgin Pidgin 2.7.1 Pidgin Pidgin 2.7 Pidgin Pidgin 2.6.6 Pidgin Pidgin 2.6.5 Pidgin Pidgin 2.6.4 Pidgin Pidgin 2.6.3 Pidgin Pidgin 2.6.1 Pidgin Pidgin 2.6 Pidgin Pidgin 2.5.9 Pidgin Pidgin 2.5.8 Pidgin Pidgin 2.5.7 Pidgin Pidgin 2.5.6 Pidgin Pidgin 2.5.5 Pidgin Pidgin 2.4.3 Pidgin Pidgin 2.4.2 Pidgin Pidgin 2.4.1 Pidgin Pidgin 2.4 Pidgin Pidgin 2.2.2 Pidgin Pidgin 2.2.1 Pidgin Pidgin 2.2 Pidgin Pidgin 2.1 Pidgin Pidgin 2.0.2 Pidgin Pidgin 2.0 Pidgin Pidgin 2.10.0 Pidgin Pidgin 2.10.0 Mandriva Linux Mandrake 2011 x86_64 Mandriva Linux Mandrake 2011 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5

Not Vulnerable:	Pidgin Pidgin 2.10.2

Security Discussion

Pidgin is prone to a denial-of-service vulnerability.

Successful exploits will cause the affected application to crash, effectively denying service to legitimate users.

Versions prior to Pidgin 2.10.2 are vulnerable.

Proof of Concept and Security Exploits

Currently we are not aware of any exploits. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

Security Solution(s)

Solution:
Updates are available. Please see the references for more information.

MandrakeSoft Enterprise Server 5 x86_64

Mandriva finch-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64finch0-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64purple-devel-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64purple0-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-bonjour-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-client-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-gevolution-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-i18n-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-meanwhile-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-perl-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-plugins-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-silc-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-tcl-2.10.2-0.1mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/downloads/

MandrakeSoft Enterprise Server 5

Mandriva finch-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva libfinch0-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva libpurple-devel-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva libpurple0-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-bonjour-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-client-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-gevolution-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-i18n-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-meanwhile-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-perl-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-plugins-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-silc-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-tcl-2.10.2-0.1mdvmes5.2.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva Linux Mandrake 2011 x86_64

Mandriva finch-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64finch0-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64purple-devel-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva lib64purple0-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-bonjour-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-client-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-gevolution-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-i18n-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-meanwhile-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-perl-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-plugins-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-silc-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-tcl-2.10.2-0.1-mdv2011.0.x86_64.rpm
http://www.mandriva.com/en/downloads/

Mandriva Linux Mandrake 2011

Mandriva finch-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva libfinch0-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva libpurple-devel-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva libpurple0-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-bonjour-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-client-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-gevolution-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-i18n-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-meanwhile-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-perl-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-plugins-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-silc-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Mandriva pidgin-tcl-2.10.2-0.1-mdv2011.0.i586.rpm
http://www.mandriva.com/en/downloads/

Security References(s)

References:

ChangeLog: Pidgin and Finch - The Pimpin' Penguin IM Clients That're Good For Th (Pidgin)
msn_oim_report_to_user does not do charset verification/conversion (Pidgin)
Pidgin Homepage (Pidgin)
Pidgin Security Advisory (Pidgin)

Emagined Security Blog featuring Dr. Eugene Schultz

Secure Web Programming
by Vizual Services