Title: Pidgin UPnP and Jabber Protocols Multiple Denial of Service Vulnerabilities
Severity: MODERATE
Description:
Pidgin is a chat client available for multiple operating systems.
The application is prone to multiple denial-of-service vulnerabilities affecting the UPnP and Jabber protocols:
1. Untrusted XML documents can be exchanged. Attackers can exploit this to cause memory leaks and application crashes when a pidgin client connects to a malicious Jabber server.
2. Downloads of arbitrary size are allowed via the UPnP protocol. Attackers can exploit this to cause excessive resource allocations and application crashes, denying service to legitimate users.
Pidgin 2.0.0 is vulnerable; other versions, including Gaim 2.0.0 beta versions, may also be affected.
Affected Products:
- Pidgin Pidgin 2.0.0
- rPath rPath Linux 1
References:
- Colorado Research Institute for Security and Privacy: CRISP Advisory 2007-01: Multiple vulnerabilities in pidgin
- Pidgin: Pidgin Homepage
- Nico Golde: Re: Re: CVE Request (pidgin)
