Computer Security
[EN] securityvulns.ru no-pyccku


Pidgin / Adium messenger multiple security vulnerabilities
Published:19.02.2010
Source:
SecurityVulns ID:10632
Type:remote
Threat Level:
5/10
Description:Memory corruption on SLP (MSN) messages parsing. Multiple DoS conditions.
Affected:ADIUM : Adium 1.3
 PIDGIN : Pidgin 2.6
CVE:CVE-2010-0423 (gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.)
 CVE-2010-0420 (libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname.)
 CVE-2010-0277 (slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.)
Original documentdocumentMANDRIVA, [ MDVSA-2010:041 ] pidgin (19.02.2010)

Mozilla Firefox / Thunderbird / SeaMonkey multiple security vulnerabilities
updated since 19.02.2010
Published:25.02.2010
Source:
SecurityVulns ID:10631
Type:client
Threat Level:
8/10
Description:Multiple memory corruptions, use-after-free, crossite scripting.
Affected:MOZILLA : SeaMonkey 2.0
 MOZILLA : Firefox 3.0
 MOZILLA : Firefox 3.5
 MOZILLA : Firefox 3.6
 MOZILLA : Thunderbird 3.0
CVE:CVE-2010-0162 (Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly support the application/octet-stream content type as a protection mechanism against execution of web script in certain circumstances involving SVG and the EMBED element, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via an embedded SVG document.)
 CVE-2010-0160 (The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly handle array data types for posted messages, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors.)
 CVE-2010-0159 (The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the nsBlockFrame::StealFrame function in layout/generic/nsBlockFrame.cpp, and unspecified other vectors.)
 CVE-2009-3988 (Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly restrict read access to object properties in showModalDialog, which allows remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via crafted dialogArguments values.)
 CVE-2009-1571 (Use-after-free vulnerability in the HTML parser in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3 allows remote attackers to execute arbitrary code via unspecified method calls that attempt to access freed objects in low-memory situations.)
Original documentdocumentZDI, ZDI-10-019: Mozilla Firefox showModalDialog Cross-Domain Scripting Vulnerability (25.02.2010)
 documentSECUNIA, Secunia Research: Mozilla Firefox Memory Corruption Vulnerability (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-05 (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-04 (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-03 (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-02 (19.02.2010)
 documentMOZILLA, Mozilla Foundation Security Advisory 2010-01 (19.02.2010)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod