CVE-2013-6483: Input Validation
First published: Thu Feb 06 2014(Updated: )
The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remote attackers to spoof iq traffic or cause a denial of service (NULL pointer dereference and application crash) via a crafted reply.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Pidgin | <=2.10.7 | |
| Pidgin | =2.0.0 | |
| Pidgin | =2.0.1 | |
| Pidgin | =2.0.2 | |
| Pidgin | =2.1.0 | |
| Pidgin | =2.1.1 | |
| Pidgin | =2.2.0 | |
| Pidgin | =2.2.1 | |
| Pidgin | =2.2.2 | |
| Pidgin | =2.3.0 | |
| Pidgin | =2.3.1 | |
| Pidgin | =2.4.0 | |
| Pidgin | =2.4.1 | |
| Pidgin | =2.4.2 | |
| Pidgin | =2.4.3 | |
| Pidgin | =2.5.0 | |
| Pidgin | =2.5.1 | |
| Pidgin | =2.5.2 | |
| Pidgin | =2.5.3 | |
| Pidgin | =2.5.4 | |
| Pidgin | =2.5.5 | |
| Pidgin | =2.5.6 | |
| Pidgin | =2.5.7 | |
| Pidgin | =2.5.8 | |
| Pidgin | =2.5.9 | |
| Pidgin | =2.6.0 | |
| Pidgin | =2.6.1 | |
| Pidgin | =2.6.2 | |
| Pidgin | =2.6.3 | |
| Pidgin | =2.6.4 | |
| Pidgin | =2.6.5 | |
| Pidgin | =2.6.6 | |
| Pidgin | =2.7.0 | |
| Pidgin | =2.7.1 | |
| Pidgin | =2.7.2 | |
| Pidgin | =2.7.3 | |
| Pidgin | =2.7.4 | |
| Pidgin | =2.7.5 | |
| Pidgin | =2.7.6 | |
| Pidgin | =2.7.7 | |
| Pidgin | =2.7.8 | |
| Pidgin | =2.7.9 | |
| Pidgin | =2.7.10 | |
| Pidgin | =2.7.11 | |
| Pidgin | =2.8.0 | |
| Pidgin | =2.9.0 | |
| Pidgin | =2.10.0 | |
| Pidgin | =2.10.1 | |
| Pidgin | =2.10.2 | |
| Pidgin | =2.10.3 | |
| Pidgin | =2.10.4 | |
| Pidgin | =2.10.5 | |
| Pidgin | =2.10.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://hg.pidgin.im/pidgin/main/rev/93d4bff19574
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00039.html
- http://lists.opensuse.org/opensuse-updates/2014-03/msg00005.html
- http://pidgin.im/news/security/?id=78
- http://www.debian.org/security/2014/dsa-2859
- http://www.ubuntu.com/usn/USN-2100-1
- https://rhn.redhat.com/errata/RHSA-2014-0139.html
Frequently Asked Questions
What is the severity of CVE-2013-6483?
CVE-2013-6483 has a medium severity rating allowing for potential spoofing or denial of service.
How do I fix CVE-2013-6483?
To fix CVE-2013-6483, update Pidgin to version 2.10.8 or later.
What impact does CVE-2013-6483 have on the Pidgin application?
CVE-2013-6483 can lead to unauthorized spoofing of IQ traffic or cause the application to crash.
Which versions of Pidgin are affected by CVE-2013-6483?
Versions of Pidgin prior to 2.10.8, including 2.0.0 to 2.10.7, are affected by CVE-2013-6483.
Who can exploit CVE-2013-6483?
CVE-2013-6483 can be exploited by remote attackers targeting users of affected Pidgin versions.
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/pidgin
- canonical/pidgin
- version/pidgin/2.10.7
- version/pidgin/2.0.0
- version/pidgin/2.0.1
- version/pidgin/2.0.2
- version/pidgin/2.1.0
- version/pidgin/2.1.1
- version/pidgin/2.2.0
- version/pidgin/2.2.1
- version/pidgin/2.2.2
- version/pidgin/2.3.0
- version/pidgin/2.3.1
- version/pidgin/2.4.0
- version/pidgin/2.4.1
- version/pidgin/2.4.2
- version/pidgin/2.4.3
- version/pidgin/2.5.0
- version/pidgin/2.5.1
- version/pidgin/2.5.2
- version/pidgin/2.5.3
- version/pidgin/2.5.4
- version/pidgin/2.5.5
- version/pidgin/2.5.6
- version/pidgin/2.5.7
- version/pidgin/2.5.8
- version/pidgin/2.5.9
- version/pidgin/2.6.0
- version/pidgin/2.6.1
- version/pidgin/2.6.2
- version/pidgin/2.6.3
- version/pidgin/2.6.4
- version/pidgin/2.6.5
- version/pidgin/2.6.6
- version/pidgin/2.7.0
- version/pidgin/2.7.1
- version/pidgin/2.7.2
- version/pidgin/2.7.3
- version/pidgin/2.7.4
- version/pidgin/2.7.5
- version/pidgin/2.7.6
- version/pidgin/2.7.7
- version/pidgin/2.7.8
- version/pidgin/2.7.9
- version/pidgin/2.7.10
- version/pidgin/2.7.11
- version/pidgin/2.8.0
- version/pidgin/2.9.0
- version/pidgin/2.10.0
- version/pidgin/2.10.1
- version/pidgin/2.10.2
- version/pidgin/2.10.3
- version/pidgin/2.10.4
- version/pidgin/2.10.5
- version/pidgin/2.10.6