October 22, 2009

Gentoo Linux Security Advisory 200910-02 (High): pidgin

Multiple vulnerabilities were found in Pidgin:

  • Yuriy Kaminskiy reported that the OSCAR protocol implementation in Pidgin misinterprets the ICQWebMessage message type as the ICQSMS message type, triggering an allocation of a large amount of memory (CVE-2009-1889).
  • Federico Muttis of Core Security Technologies reported that the msn_slplink_process_msg() function in libpurple/protocols/msn/slplink.c in libpurple as used in Pidgin doesn't properly process incoming SLP messages, triggering an overwrite of an arbitrary memory location (CVE-2009-2694). NOTE: This issue reportedly exists because of an incomplete fix for CVE-2009-1376 (GLSA 200905-07).
  • bugdave reported that protocols/jabber/auth.c in libpurple as used in Pidgin does not follow the "require TSL/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, resulting in a connection to the server without the expected encryption (CVE-2009-3026)...
Click Here!