Pidgin HTML data denial of service
| pidgin-htmldata-dos (38132) |  Low Risk |
Description:
Pidgin is vulnerable to a denial of service, caused by a NULL pointer dereference when parsing HTML data. By sending a specially-crafted message containing invalid HTML data, a remote attacker could exploit this vulnerability to crash the application.
Platforms Affected:
- Canonical, Ubuntu 7.10
- Pidgin, Pidgin prior to 2.2.2
Remedy:
Upgrade to the latest version of Pidgin (2.2.2 or later), available from the Pidgin Web site. See References.
For other distributions:
Apply the appropriate update for your system. See References.
Consequences:
Denial of Service
References:
- BID-26205: Pidgin HTML Processing Remote Denial Of Service Vulnerability
- CVE-2007-4999: libpurple in Pidgin 2.1.0 through 2.2.1, when using HTML logging, allows remote attackers to cause a denial of service (NULL dereference and application crash) via a message that contains invalid HTML data, a different vector than CVE-2007-4996.
- SA27372: Pidgin HTML Processing Denial of Service
- USN-548-1: Pidgin vulnerability
- VUPEN/ADV-2007-3624: Pidgin Invalid HTML Data Handling Remote Denial of Service Vulnerability
Reported:
Oct 24, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net