Emoticons blast three security holes in Pidgin :-(

Cisco researchers have reported a trio of vulnerabilities in popular instant messaging client Pidgin that allow for denial of service by way of emoticon abuse and remote arbitrary file creation.

Researchers Yves Younan and Richard Johnson say the flaws have since been quietly patched, but rated a maximum CVSS score of 6.4 but were easily and remotely exploitable.

The first reported flaw (CVE-2014-3697) affected the way Pidgin accessed smileys and themes as tar packages on Windows systems.

Linux systems are safe since they use the un-tar utility while Windows Pidgin uses included code that permits absolute paths to be specified in tar files allowing attackers to overwrite files accessible by the user.

Full Article: http://www.theregister.co.uk/2014/11/10/cisco_security_bods_hunt_pidgin/

Permanent link to this article: https://www.darknessgate.com/2014/11/19/emoticons-blast-three-security-holes-pidgin/