CVE-2013-6483

Priority
Medium
Description
The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not
properly determine whether the from address in an iq reply is consistent
with the to address in an iq request, which allows remote attackers to
spoof iq traffic or cause a denial of service (NULL pointer dereference and
application crash) via a crafted reply.
References
Notes
mdeslaur> this introduced a regression, which was fixed in 2.10.9:
mdeslaur> https://developer.pidgin.im/ticket/15879
Assigned-to
mdeslaur
Package
Upstream:released (2.10.8)
Ubuntu 10.04 LTS (Lucid Lynx):ignored (reached end-of-life)
Ubuntu 12.04 LTS (Precise Pangolin):released (1:2.10.3-0ubuntu1.4)
Ubuntu 12.10 (Quantal Quetzal):released (1:2.10.6-0ubuntu2.3)
Ubuntu 13.10 (Saucy Salamander):released (1:2.10.7-0ubuntu4.1.13.10.1)
Ubuntu 14.04 LTS (Trusty Tahr):released (1:2.10.9-0ubuntu1)
Patches:
Upstream:http://hg.pidgin.im/pidgin/main/rev/93d4bff19574
Upstream:http://hg.pidgin.im/pidgin/main/rev/b8e2a5fbffd3 (regression)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-02-14 14:14:54 UTC (commit 7751)