#VU42059 Input validation error in Pidgin - CVE-2013-6489

Cybersecurity Help s.r.o.

Published: 2014-02-06 | Updated: 2020-08-10

Vulnerability identifier: #VU42059

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-6489

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pidgin
Client/Desktop applications / Messaging software

Vendor: pidgin.im

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Integer signedness error in the MXit functionality in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (segmentation fault) via a crafted emoticon value, which triggers an integer overflow and a buffer overflow.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Pidgin: 2.0.0 - 2.10.6

External links
https://hg.pidgin.im/pidgin/main/rev/4c897372b5a4
https://www.debian.org/security/2014/dsa-2859
https://www.pidgin.im/news/security/?id=83
https://www.securityfocus.com/bid/65192
https://www.ubuntu.com/usn/USN-2100-1
https://rhn.redhat.com/errata/RHSA-2014-0139.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Pidgin

Multiple vulnerabilities in pidgin.im Pidgin

Slackware Linux update for pidgin