Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2008-2927

Disclosure Date: July 07, 2008
CVE-2008-2927
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • adium,
  • pidgin

Products

  • adium,
  • adium 1.0,
  • adium 1.0.1,
  • adium 1.0.2,
  • adium 1.0.3,
  • adium 1.0.4,
  • adium 1.0.5,
  • adium 1.1,
  • adium 1.1.1,
  • adium 1.1.2,
  • adium 1.1.3,
  • adium 1.1.4,
  • pidgin,
  • pidgin 2.0.0,
  • pidgin 2.0.1,
  • pidgin 2.0.2,
  • pidgin 2.1.0,
  • pidgin 2.1.1,
  • pidgin 2.2.0,
  • pidgin 2.2.1,
  • pidgin 2.2.2,
  • pidgin 2.3.0,
  • pidgin 2.3.1,
  • pidgin 2.4.0,
  • pidgin 2.4.1

References

Canonical
CVE-2008-2927 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927)
BID-29956 (http://www.securityfocus.com/bid/29956)
Advisory
USN-675-2 (http://www.ubuntu.com/usn/USN-675-2)
[oss-security] 20080703 Re: Re: CVE Request (pidgin) (http://www.openwall.com/lists/oss-security/2008/07/04/1)
http://www.redhat.com/support/errata/RHSA-2008-0584.html
http://developer.pidgin.im/viewmtn/revision/diff/6eb1949a96fa80a4c744fc749c2562abc4cc9ed6/with/c3831c9181f4f61b747321240086ee79e4a08fd8/libpurple/protocols/msnp9/slplink.c
SECUNIA-32861 (http://secunia.com/advisories/32861)
SECTRACK-1020451 (http://www.securitytracker.com/id?1020451)
SECUNIA-30971 (http://secunia.com/advisories/30971)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11695
http://developer.pidgin.im/viewmtn/revision/diff/6eb1949a96fa80a4c744fc749c2562abc4cc9ed6/with/c3831c9181f4f61b747321240086ee79e4a08fd8/libpurple/protocols/msn/slplink.c
http://www.mandriva.com/security/advisories?name=MDVSA-2008:143
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17972
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0246
https://issues.rpath.com/browse/RPL-2647
http://www.mandriva.com/security/advisories?name=MDVSA-2009:127
[oss-security] 20080704 Re: Re: CVE Request (pidgin) (http://www.openwall.com/lists/oss-security/2008/07/03/6)
SECUNIA-31105 (http://secunia.com/advisories/31105)
http://www.pidgin.im/news/security?id=25
USN-675-1 (http://www.ubuntu.com/usn/USN-675-1)
SECUNIA-31642 (http://secunia.com/advisories/31642)
SECUNIA-32859 (http://secunia.com/advisories/32859)
SECUNIA-31387 (http://secunia.com/advisories/31387)
DSA-1610 (http://www.debian.org/security/2008/dsa-1610)
https://bugzilla.redhat.com/show_bug.cgi?id=453764
SECUNIA-31016 (http://secunia.com/advisories/31016)
20080828 ZDI-08-054: Multiple Vendor libpurple MSN Protocol SLP Message Heap Overflow Vulnerability (http://www.securityfocus.com/archive/1/495818/100/0/threaded)
XF-adium-msnprotocol-code-execution(44774) (https://exchange.xforce.ibmcloud.com/vulnerabilities/44774)
ADV-2008-2032 (http://www.vupen.com/english/advisories/2008/2032/references)
20080625 Pidgin 2.4.1 Vulnerability (http://www.securityfocus.com/archive/1/493682)
20080806 rPSA-2008-0246-1 gaim (http://www.securityfocus.com/archive/1/495165/100/0/threaded)
Miscellaneous
http://www.zerodayinitiative.com/advisories/ZDI-08-054
http://www.pidgin.im/news/security/?id=25
https://access.redhat.com/errata/RHSA-2008:0584
https://access.redhat.com/security/cve/CVE-2008-2927

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis