BID:51074

Pidgin SILC (Secure Internet Live Conferencing) Protocol Denial of Service Vulnerability

Info

Pidgin SILC (Secure Internet Live Conferencing) Protocol Denial of Service Vulnerability

Bugtraq ID:	51074
Class:	Input Validation Error
CVE:	CVE-2011-4603
Remote:	Yes
Local:	No
Published:	Dec 14 2011 12:00AM
Updated:	Apr 13 2015 09:50PM
Credit:	<br>Diego Bauche Madero from IOActive
Vulnerable:	Ubuntu Ubuntu Linux 12.04 LTS i386 Ubuntu Ubuntu Linux 12.04 LTS amd64 Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 Sun Solaris 10 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux Optional Productivity Application 5 server Redhat Enterprise Linux ES 4 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux AS 4 Redhat Enterprise Linux Desktop version 4 Pidgin Pidgin 2.9 Pidgin Pidgin 2.8 Pidgin Pidgin 2.7.6 Pidgin Pidgin 2.7.5 Pidgin Pidgin 2.7.4 Pidgin Pidgin 2.7.3 Pidgin Pidgin 2.7.2 Pidgin Pidgin 2.7.1 Pidgin Pidgin 2.7 Pidgin Pidgin 2.6.6 Pidgin Pidgin 2.6.5 Pidgin Pidgin 2.6.4 Pidgin Pidgin 2.6.3 Pidgin Pidgin 2.6.1 Pidgin Pidgin 2.6 Pidgin Pidgin 2.5.9 Pidgin Pidgin 2.5.8 Pidgin Pidgin 2.5.7 Pidgin Pidgin 2.5.6 Pidgin Pidgin 2.5.5 Pidgin Pidgin 2.4.3 Pidgin Pidgin 2.4.2 Pidgin Pidgin 2.4.1 Pidgin Pidgin 2.4 Pidgin Pidgin 2.2.2 Pidgin Pidgin 2.2.1 Pidgin Pidgin 2.2 Pidgin Pidgin 2.1 Pidgin Pidgin 2.0.2 Pidgin Pidgin 2.0 Pidgin Pidgin 2.10.0 Pidgin Pidgin 0 Pidgin Libpurple 2.8.10 Pidgin Libpurple 2.8.9 Pidgin Libpurple 2.8 Pidgin Libpurple 2.7.11 Pidgin Libpurple 2.7.10 Pidgin Libpurple 2.7.9 Pidgin Libpurple 2.7.7 Pidgin Libpurple 2.7.6 Pidgin Libpurple 2.7.4 Pidgin Libpurple 2.7.3 Pidgin Libpurple 2.7.2 Pidgin Libpurple 2.7 Pidgin Libpurple 2.6.5 Pidgin Libpurple 2.6.4 Pidgin Libpurple 2.6.1 Pidgin Libpurple 2.6 Pidgin Libpurple 2.5.8 Pidgin Libpurple 2.5.6 Pidgin Libpurple 2.5.5 Pidgin Libpurple 2.5.2 Pidgin Libpurple 2.4.3 Pidgin Libpurple 2.9.0 Pidgin Libpurple 2.8.2 Pidgin Libpurple 2.8.1 Pidgin Libpurple 2.8.0 Pidgin Libpurple 2.7.9 Pidgin Libpurple 2.7.8 Pidgin Libpurple 2.7.5 Pidgin Libpurple 2.7.1 Pidgin Libpurple 2.6.6 Pidgin Libpurple 2.6.3 Pidgin Libpurple 2.6.2 Pidgin Libpurple 2.5.9 Pidgin Libpurple 2.5.7 Pidgin Libpurple 2.5.4 Pidgin Libpurple 2.5.3 Pidgin Libpurple 2.5.1 Pidgin Libpurple 2.5.0 Pidgin Libpurple - Oracle Enterprise Linux 4

Not Vulnerable:	Pidgin Pidgin 2.10.1

Discussion

Pidgin SILC (Secure Internet Live Conferencing) Protocol Denial of Service Vulnerability

Pidgin is prone to a denial-of-service vulnerability.

An attacker can exploit these issues by constructing and submitting a specially crafted SILC message.

Successful exploits will cause the affected application to crash, effectively denying service to legitimate users. Due to the nature of this issue, remote code execution may be possible; this has not been confirmed.

Exploit / POC

Pidgin SILC (Secure Internet Live Conferencing) Protocol Denial of Service Vulnerability

Currently we are not aware of any exploits. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]

Solution / Fix

Pidgin SILC (Secure Internet Live Conferencing) Protocol Denial of Service Vulnerability

Solution:
Updates are available. Please see the references for more information.

References

Pidgin SILC (Secure Internet Live Conferencing) Protocol Denial of Service Vulnerability

References:

Bug 766446 - (CVE-2011-4603) CVE-2011-4603 pidgin: SILC remote crash on channel (Red Hat)
Pidgin Homepage (Pidgin)
Pidgin Security Advisory (CVE-2011-4603) (Pidgin)
Multiple vulnerabilities in Pidgin (Oracle)