MGASA-2014-0425

Source
https://advisories.mageia.org/MGASA-2014-0425.html
Import Source
https://advisories.mageia.org/MGASA-2014-0425.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2014-0425
Related
Published
2014-10-25T20:23:09Z
Modified
2014-10-25T19:56:36Z
Summary
Updated pidgin packages fix security vulnerabilities
Details

In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it (CVE-2014-3694).

In Pidgin before 2.10.10, a malicious server or man-in-the-middle could trigger a crash in libpurple by sending an emoticon with an overly large length value (CVE-2014-3695).

In Pidgin before 2.10.10, a malicious server or man-in-the-middle could trigger a crash in libpurple by specifying that a large amount of memory should be allocated in many places in the UI (CVE-2014-3696).

In Pidgin before 2.10.10, a malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory (CVE-2014-3698).

The pidgin package has been updated to version 2.10.10 which fixes these issues and other bugs.

References
Credits

Affected packages

Mageia:3 / pidgin

Package

Name
pidgin
Purl
pkg:rpm/mageia/pidgin?distro=mageia-3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.10.10-1.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / pidgin

Package

Name
pidgin
Purl
pkg:rpm/mageia/pidgin?distro=mageia-4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.10.10-1.mga4

Ecosystem specific

{
    "section": "core"
}