Pidgin Security Advisory
| Title | XMPP doesn't verify 'from' on some iq replies |
|---|
| Date | 2014-01-28 |
|---|
| CVE Name | CVE-2013-6483 |
|---|
| Discovered By | Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen |
|---|
| Description | The XMPP protocol plugin failed to ensure that iq replies came from the person they were sent to. A remote user could send a spoofed iq reply and attempt to guess the iq id. This could allow an attacker to inject fake data or trigger a null pointer dereference. |
|---|
| Fixed in Revision | 93d4bff19574 |
|---|
| Fixed in Version | 2.10.8 |
|---|
| Fix | Keep track of the 'to' when sending an iq stanza and make sure replies for a given stanza ID come from the same address it was sent to. |
|---|
Return to Security Advisory Index
