Fwd: [Pidgin] #2216: Vulnerability in Pidgin 2.0.2 - remote authenticated to execute commands

Luke Schierer lschiere at pidgin.im
Fri Jul 20 13:05:55 EDT 2007

Dear packagers,
This has come to our attention repeatedly, though this is the first
incredibly public post about it that I know of.  Unfortunately, we have
absolutely no details on it.  We do not see what the vulnerability is,
and everything just links back to the wslabi page, which tells us
nothing, and whose administrators refuse to tell us anything.

So this email is basically just an FYI for now.


----- Forwarded message from Pidgin <trac at pidgin.im> -----

Date: Fri, 20 Jul 2007 16:19:46 -0000
From: Pidgin <trac at pidgin.im>
Cc: tracker at pidgin.im
Subject: [Pidgin] #2216: Vulnerability in Pidgin 2.0.2 - remote
	authenticated to execute commands

#2216: Vulnerability in Pidgin 2.0.2 - remote authenticated to execute commands
Reporter:  pr0gm3r  |       Owner:  sadrul                          
    Type:  defect   |      Status:  new                             
Priority:  minor    |   Component:  finch (gnt/ncurses)             
 Version:  2.0.2    |    Keywords:  vulnerability, exploit, security
 Pending:  0        |  
 Vulnerability Summary CVE-2007-3841
 Original release date: 7/17/2007
 Last revised: 7/19/2007


 Unspecified vulnerability in Pidgin (formerly Gaim) 2.0.2 for Linux allows
 remote authenticated users, who are listed in a users list, to execute
 certain commands via unspecified vectors, aka ZD-00000035. NOTE: this
 information is based upon a vague advisory by a vulnerability information
 sales organization that does not coordinate with vendors or release
 actionable advisories. A CVE has been assigned for tracking purposes, but
 duplicates with other CVEs are difficult to determine.


 CVSS Severity (version 2.0):
 Base score: 9.0 (High)
 Impact Subscore: 10.0
 Exploitability Subscore: 8.0

 Range: Network exploitable
 Authentication: Required to exploit
 Impact Type: Provides administrator access, Allows complete
 confidentiality, integrity, and availability violation , Allows
 unauthorized disclosure of information , Allows disruption of service

 References to Advisories, Solutions, and Tools

 External Source: (disclaimer)

 Hyperlink: http://www.wslabi.com/wabisabilabi/initPublishedBid.do?

 External Source:  BID (disclaimer)

 Name: 24904

 Hyperlink: http://www.securityfocus.com/bid/24904

 Vulnerable software and versions

 Configuration 1
 −  Pidgin, Pidgin, 2.0.2, Linux

 Technical Details

 CVSS Base Score Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C) (legend)

 Vulnerability Type: Input Validation Error

 CVE Standard Vulnerability Entry:

 Common Platform Enumeration:

Ticket URL: <http://developer.pidgin.im/ticket/2216>
Pidgin <http://pidgin.im>
Tracker mailing list
Tracker at pidgin.im

----- End forwarded message -----

More information about the Packagers mailing list