Title: Pidgin UPnP and Jabber Protocols Multiple Denial of Service Vulnerabilities
Severity: MODERATE
Description:
Pidgin is a chat client available for multiple operating systems.
The application is prone to multiple denial-of-service vulnerabilities affecting the UPnP and Jabber protocols:
1. Untrusted XML documents can be exchanged. Attackers can exploit this to cause memory leaks and application crashes when a pidgin client connects to a malicious Jabber server.
2. Downloads of arbitrary size are allowed via the UPnP protocol. Attackers can exploit this to cause excessive resource allocations and application crashes, denying service to legitimate users.
Pidgin 2.0.0 is vulnerable; other versions, including Gaim 2.0.0 beta versions, may also be affected.
Affected Products:
- Pidgin Pidgin 2.0.0
- RedHat Enterprise Linux AS 4
- RedHat Enterprise Linux Desktop 5 client
- RedHat Enterprise Linux Desktop Workstation 5 client
- RedHat Enterprise Linux Desktop version 4
- RedHat Enterprise Linux ES 4
- RedHat Enterprise Linux Optional Productivity Application 5 server
- RedHat Enterprise Linux WS 4
- Ubuntu Ubuntu Linux 7.10 amd64
- Ubuntu Ubuntu Linux 7.10 i386
- Ubuntu Ubuntu Linux 7.10 lpia
- Ubuntu Ubuntu Linux 7.10 powerpc
- Ubuntu Ubuntu Linux 7.10 sparc
- Ubuntu Ubuntu Linux 8.04 LTS amd64
- Ubuntu Ubuntu Linux 8.04 LTS i386
- Ubuntu Ubuntu Linux 8.04 LTS lpia
- Ubuntu Ubuntu Linux 8.04 LTS powerpc
- Ubuntu Ubuntu Linux 8.04 LTS sparc
- rPath rPath Linux 1
References:
- Colorado Research Institute for Security and Privacy: CRISP Advisory 2007-01: Multiple vulnerabilities in pidgin
- Pidgin: Pidgin Homepage
- Nico Golde: Re: Re: CVE Request (pidgin)