Pidgin Security Advisory

TitleXMPP doesn't verify 'from' on some iq replies
Date2014-01-28
CVE NameCVE-2013-6483
Discovered ByFabian Yamaguchi and Christian Wressnegger of the University of Goettingen
DescriptionThe XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference.
Fixed in Revision93d4bff19574
Fixed in Version2.10.8
FixKeep track of the 'to' when sending an iq stanza and make sure replies for a given stanza ID come from the same address it was sent to.

Return to Security Advisory Index