Pidgin Jingle Extension XMPP Protocol Denial of Service Vulnerabilities

Bugtraq ID:	51070
Class:	Design Error
CVE:	CVE-2011-4602
Remote:	Yes
Local:	No
Published:	Dec 14 2011 12:00AM
Updated:	Apr 16 2015 06:13PM
Credit:	<br>Thijs Alkemade
Vulnerable:	Ubuntu Ubuntu Linux 12.04 LTS i386 Ubuntu Ubuntu Linux 12.04 LTS amd64 Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 Sun Solaris 10 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux Optional Productivity Application 5 server RedHat Enterprise Linux ES 4 RedHat Enterprise Linux Desktop Workstation 5 client Red Hat Enterprise Linux Workstation Optional 6 Red Hat Enterprise Linux Workstation 6 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux Desktop Optional 6 Red Hat Enterprise Linux Desktop 6 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux AS 4 Pidgin Pidgin 2.9 Pidgin Pidgin 2.8 Pidgin Pidgin 2.7.6 Pidgin Pidgin 2.7.5 Pidgin Pidgin 2.7.4 Pidgin Pidgin 2.7.3 Pidgin Pidgin 2.7.2 Pidgin Pidgin 2.7.1 Pidgin Pidgin 2.7 Pidgin Pidgin 2.6.6 Pidgin Pidgin 2.6.5 Pidgin Pidgin 2.6.4 Pidgin Pidgin 2.6.3 Pidgin Pidgin 2.6.1 Pidgin Pidgin 2.6 Pidgin Pidgin 2.5.9 Pidgin Pidgin 2.5.8 Pidgin Pidgin 2.5.7 Pidgin Pidgin 2.5.6 Pidgin Pidgin 2.5.5 Pidgin Pidgin 2.4.3 Pidgin Pidgin 2.4.2 Pidgin Pidgin 2.4.1 Pidgin Pidgin 2.4 Pidgin Pidgin 2.2.2 Pidgin Pidgin 2.2.1 Pidgin Pidgin 2.2 Pidgin Pidgin 2.1 Pidgin Pidgin 2.0.2 Pidgin Pidgin 2.0 Pidgin Pidgin 2.10.0 Pidgin Pidgin 0 Pidgin Libpurple 2.8.10 Pidgin Libpurple 2.8.9 Pidgin Libpurple 2.8.2 Pidgin Libpurple 2.8.1 Pidgin Libpurple 2.8 Pidgin Libpurple 2.7.11 Pidgin Libpurple 2.7.10 Pidgin Libpurple 2.7.9 Pidgin Libpurple 2.7.8 Pidgin Libpurple 2.7.7 Pidgin Libpurple 2.7.6 Pidgin Libpurple 2.7.4 Pidgin Libpurple 2.7.3 Pidgin Libpurple 2.7.2 Pidgin Libpurple 2.7 Pidgin Libpurple 2.6.5 Pidgin Libpurple 2.6.4 Pidgin Libpurple 2.6.1 Pidgin Libpurple 2.6 Pidgin Libpurple 2.5.8 Pidgin Libpurple 2.5.6 Pidgin Libpurple 2.5.5 Pidgin Libpurple 2.5.2 Pidgin Libpurple 2.4.3 Pidgin Libpurple 2.9.0 Pidgin Libpurple 2.8.0 Pidgin Libpurple 2.7.9 Pidgin Libpurple 2.7.8 Pidgin Libpurple 2.7.5 Pidgin Libpurple 2.7.1 Pidgin Libpurple 2.6.6 Pidgin Libpurple 2.6.3 Pidgin Libpurple 2.6.2 Pidgin Libpurple 2.5.9 Pidgin Libpurple 2.5.7 Pidgin Libpurple 2.5.4 Pidgin Libpurple 2.5.3 Pidgin Libpurple 2.5.1 Pidgin Libpurple 2.5.0 Oracle Enterprise Linux 6.2 Oracle Enterprise Linux 6 Oracle Enterprise Linux 4
Not Vulnerable:	Pidgin Pidgin 2.10.1

Pidgin Jingle Extension XMPP Protocol Denial of Service Vulnerabilities

Pidgin is prone to multiple denial-of-service vulnerabilities due to a NULL-pointer dereference condition.

An attacker can exploit these issues by constructing and submitting a specially crafted Jingle multimedia message.

Successful exploits will cause the affected application to crash, effectively denying service to legitimate users. Due to the nature of these issues, remote code execution may be possible; this has not been confirmed.

Pidgin Jingle Extension XMPP Protocol Denial of Service Vulnerabilities

Currently we are not aware of any exploits. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]

Pidgin Jingle Extension XMPP Protocol Denial of Service Vulnerabilities

Solution:
Updates are available. Please see the references for more information.

Pidgin Jingle Extension XMPP Protocol Denial of Service Vulnerabilities

References:

• CVE-2011-4602) CVE-2011-4602 pidgin: Multiple NULL pointer deference flaws by pr (Red Hat)
  
• Pidgin Homepage (Pidgin)
  
• Pidgin Security Advisory (CVE-2011-4602) (Pidgin)
  
• Multiple vulnerabilities in Pidgin (Oracle)