CVE-2008-2955
published 2008-07-01CVE-2008-2955: Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
7.26%
93.6th percentile
Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adium | adium | <= 1.2.7 | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| adium | adium | — | — |
| debian | pidgin | < pidgin 2.4.3-1 (bookworm) | pidgin 2.4.3-1 (bookworm) |
| pidgin | pidgin | <= 2.4.2 | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
| pidgin | pidgin | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Pidgin vulnerabilities
vendor_ubuntu·2010-01-18·CVSS 5.0
CVE-2008-2955 [MEDIUM] Pidgin vulnerabilities
Title: Pidgin vulnerabilities
Summary: Pidgin vulnerabilities
It was discovered that Pidgin did not properly handle certain topic
messages in the IRC protocol handler. If a user were tricked into
connecting to a malicious IRC server, an attacker could cause Pidgin to
crash, leading to a denial of service. This issue only affected Ubuntu 8.04
LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703)
It was discovered that Pidgin did not properly enforce the "require
TLS/SSL" setting when connecting to certain older Jabber servers. If a
remote attacker were able to perform a machine-in-the-middle attack, this flaw
could be exploited to view sensitive information. This issue only affected
Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)
It was discovered that Pidgin did not properly
Ubuntu
Pidgin vulnerabilities
vendor_ubuntu·2008-11-24·CVSS 6.8
CVE-2008-2927 [MEDIUM] Pidgin vulnerabilities
Title: Pidgin vulnerabilities
Summary: Pidgin vulnerabilities
It was discovered that Pidgin did not properly handle certain malformed
messages in the MSN protocol handler. A remote attacker could send a specially
crafted message and possibly execute arbitrary code with user privileges.
(CVE-2008-2927)
It was discovered that Pidgin did not properly handle file transfers containing
a long filename and special characters in the MSN protocol handler. A remote
attacker could send a specially crafted filename in a file transfer request
and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)
It was discovered that Pidgin did not impose resource limitations in the UPnP
service. A remote attacker could cause Pidgin to download arbitrary files
and cause a denial of service fro
Red Hat
pidgin MSN integer overflow
vendor_redhat·2008-07-04·CVSS 6.8
CVE-2008-2927 [MEDIUM] CWE-190 pidgin MSN integer overflow
pidgin MSN integer overflow
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955.
Red Hat
pidgin: remote DoS via MSN message with crafted file name
vendor_redhat·2008-06-28·CVSS 4.3
CVE-2008-2955 [MEDIUM] pidgin: remote DoS via MSN message with crafted file name
pidgin: remote DoS via MSN message with crafted file name
Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.
Debian
CVE-2008-2927: pidgin - Multiple integer overflows in the msn_slplink_process_msg functions in the MSN p...
vendor_debian·2008·CVSS 6.8
CVE-2008-2927 [MEDIUM] CVE-2008-2927: pidgin - Multiple integer overflows in the msn_slplink_process_msg functions in the MSN p...
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955.
Scope: local
bookworm: resolved (fixed in 2.4.3-1)
bullseye: resolved (fixed in 2.4.3-1)
forky: resolved (fixed in 2.4.3-1)
sid: resolved (fixed in 2.4.3-1)
trixie: resolved (fixed in 2.4.3-1)
Debian
CVE-2008-2955: pidgin - Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a ...
vendor_debian·2008·CVSS 4.3
CVE-2008-2955 [MEDIUM] CVE-2008-2955: pidgin - Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a ...
Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.
Scope: local
bookworm: resolved (fixed in 2.4.3-1)
bullseye: resolved (fixed in 2.4.3-1)
forky: resolved (fixed in 2.4.3-1)
sid: resolved (fixed in 2.4.3-1)
trixie: resolved (fixed in 2.4.3-1)
GHSA
GHSA-573h-wp83-cr6f: Pidgin 2
ghsa_unreviewed·2022-05-01
CVE-2008-2955 [MEDIUM] CWE-20 GHSA-573h-wp83-cr6f: Pidgin 2
Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.
GHSA
GHSA-xgwj-qm2p-hcpc: Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink
ghsa_unreviewed·2022-05-01·CVSS 4.3
CVE-2008-2927 [MEDIUM] GHSA-xgwj-qm2p-hcpc: Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955.
OSV
CVE-2008-2927: Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink
osv·2008-07-07·CVSS 6.8
CVE-2008-2927 [MEDIUM] CVE-2008-2927: Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink
Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955.
OSV
CVE-2008-2955: Pidgin 2
osv·2008-07-01·CVSS 4.3
CVE-2008-2955 [MEDIUM] CVE-2008-2955: Pidgin 2
Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function.
No detection rules found.
http://secunia.com/advisories/30881http://secunia.com/advisories/32859http://secunia.com/advisories/33102http://securityreason.com/securityalert/3966http://support.avaya.com/elmodocs2/security/ASA-2008-493.htmhttp://www.mandriva.com/security/advisories?name=MDVSA-2009:025http://www.redhat.com/support/errata/RHSA-2008-1023.htmlhttp://www.securityfocus.com/archive/1/493682/100/0/threadedhttp://www.securityfocus.com/bid/29985http://www.ubuntu.com/usn/USN-675-1http://www.vupen.com/english/advisories/2008/1947https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10131https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18050http://secunia.com/advisories/30881http://secunia.com/advisories/32859http://secunia.com/advisories/33102http://securityreason.com/securityalert/3966http://support.avaya.com/elmodocs2/security/ASA-2008-493.htmhttp://www.mandriva.com/security/advisories?name=MDVSA-2009:025http://www.redhat.com/support/errata/RHSA-2008-1023.htmlhttp://www.securityfocus.com/archive/1/493682/100/0/threadedhttp://www.securityfocus.com/bid/29985http://www.ubuntu.com/usn/USN-675-1http://www.vupen.com/english/advisories/2008/1947https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10131https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18050
2008-07-01
Published