SpirityCVE

Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin (formerly Gaim) before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pidgin	Pidgin
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:pidgin:pidgin::::::::
	cpe:2.3:a:pidgin:pidgin:2.4.0:32_bit::::::
	cpe:2.3:a:pidgin:pidgin:2.4.1:32_bit::::::
	cpe:2.3:a:pidgin:pidgin:2.4.2:32_bit::::::
	cpe:2.3:a:pidgin:pidgin:2.4.3:32_bit::::::
	cpe:2.3:a:pidgin:pidgin:2.5.0:32_bit::::::
	cpe:2.3:a:pidgin:pidgin:2.5.2:32_bit::::::
	cpe:2.3:a:pidgin:pidgin:2.5.3:32_bit::::::
	cpe:2.3:a:pidgin:pidgin:2.5.4:32_bit::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 3
pidgin-0:1.5.1-3.el3	cpe:/o:redhat:enterprise_linux:3	RHSA-2009:1059	2009-05-22T00:00:00Z
Red Hat Enterprise Linux 4
pidgin-0:2.5.5-2.el4	cpe:/o:redhat:enterprise_linux:4	RHSA-2009:1060	2009-05-22T00:00:00Z
Red Hat Enterprise Linux 5
pidgin-0:2.5.5-3.el5	cpe:/o:redhat:enterprise_linux:5	RHSA-2009:1060	2009-05-22T00:00:00Z

References

Link	Providers
https://www.spirityenterprise.com/pentest
http://debian.org/security/2009/dsa-1805
http://secunia.com/advisories/35188
http://secunia.com/advisories/35194
http://secunia.com/advisories/35202
http://secunia.com/advisories/35215
http://secunia.com/advisories/35294
http://secunia.com/advisories/35329
http://secunia.com/advisories/35330
http://secunia.com/advisories/37071
http://www.gentoo.org/security/en/glsa/glsa-200905-07.xml
http://www.mandriva.com/security/advisories?name=MDVSA-2009:140
http://www.mandriva.com/security/advisories?name=MDVSA-2009:173
http://www.pidgin.im/news/security/?id=32
http://www.redhat.com/support/errata/RHSA-2009-1059.html
http://www.redhat.com/support/errata/RHSA-2009-1060.html
http://www.securityfocus.com/bid/35067
http://www.ubuntu.com/usn/USN-781-1
http://www.ubuntu.com/usn/USN-781-2
http://www.vupen.com/english/advisories/2009/1396
https://bugzilla.redhat.com/show_bug.cgi?id=500493
https://exchange.xforce.ibmcloud.com/vulnerabilities/50680
https://nvd.nist.gov/vuln/detail/CVE-2009-1376
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10476
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18432
https://www.cve.org/CVERecord?id=CVE-2009-1376
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00033.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00051.html
https://www.redhat.com/archives/fedora-package-announce/2009-June/msg00075.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-05-26T15:16:00

Updated: 2024-08-07T05:13:25.437Z

Reserved: 2009-04-23T00:00:00

Link: CVE-2009-1376

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2009-05-26T15:30:05.280

Modified: 2025-04-09T00:30:58.490

Link: CVE-2009-1376

Redhat

Severity : Important

Publid Date: 2009-05-02T00:00:00Z

Links: CVE-2009-1376 - Bugzilla

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object