14 DAY TRIAL // The popular multi-protocol instant messaging client Pidgin received an update in October, which patched a total of three vulnerabilities.
To allow as many users as possible to update to the latest version of the IM, the disclosure of the glitches has been delayed until last week, when security researchers from Cisco revealed the risks of running an outdated release of the software (lower than 2.10.10).
Smiley and theme packages are dangerous on Windows
First on the list is a weakness (CVE-2014-3697) present in the way the application handles packages with smiley sets and themes on Windows systems. This content comes archived as TAR, and on Windows, additional code is needed to specify an absolute path in the TAR file, which would allow an attacker to write and overwrite files that can be changed according to the privilege of the logged-in user.
On Linux, the TAR utility does not extract the content of an archive with an absolute path without the -P argument, which is not included in Pidgin, confining the data within the specified folder.
A second vulnerability (CVE-2014-3696) touches on libpurple's Novell Groupwise; anyone controlling the contents of a Novell protocol message could trigger an out-of-memory exception and termination of the program “by specifying an overly large size value for a memory allocation operation.”
Spoofed emoticon leads to denial-of-service condition
In the case of the third glitch, Pidgin opened the door for a denial-of-service (DoS) attack through controlling the contents of an emoticon downloaded via the Mxit protocol.
By specifying a very large ASN length value, the attacker could trigger an out-of-bounds read leading to a DoS condition. Exploiting the vulnerability, which received the CVE-2014-3695 identifier, relies on the possibility to spoof messages from the mxit.com domain.
Yves Younan of Cisco Talos group said in a blog post on Friday that the three weaknesses “were found during our initial look at Pidgin which resulted in the first 4 vulnerabilities released in January.” However, patching them occurred at such a distant time because of a delay in their reporting to the Pidgin team and a longer period of time required for coming up with a patch.
Pidgin is a versatile instant messaging utility that can be used with a large list of commonly used IM protocols, permitting usage with various services.
It can work with protocols such as AIM, ICQ, XMPP, QQ, Silc, or Yahoo, which means that most of the IM communication services are supported.
