In association with heise online

22 August 2011, 10:09

Pidgin IM client 2.10.0 closes holes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Pidgin Logo Version 2.10.0 of Pidgin is now available to download. This latest maintenance and security update includes a number of bug fixes and addresses three vulnerabilities in the open source instant messenger (IM) application.

A bug in the libpurple library, used by Pidgin and other IM clients such as Adium and Meebo, that could lead Pidgin to crash on some operating systems has been fixed. According to the developers, the problem concerned certain characters in IRC user nicknames that could lead to a null pointer problem in the IRC protocol plugin. Clients based on version 2.8.0 through 2.9.0 libpurple are affected.

The update also fixes a problem in the MSN protocol plugin that could cause the application to try to access memory that it should not. The developers note that the vulnerability only affects users that enable the HTTP connection method, which is disabled by default, and that they "believe remote code execution is not possible".

In the Windows builds, when users click on a file:// URI received in an IM, previous versions of Pidgin would attempt to execute the file. This could be dangerous if, for example, it led to a malicious file on a network share. Instead, the new version now opens a file browser at the file's location.

Further information about the update, including a full list of bug fixes, can be found in the change log. Pidgin 2.10.0 is available to download for Windows, Mac OS X and Linux; as Ubuntu ships with Pidgin, but does not typically update it after a release, users should refer to the Ubuntu specific install page on the Pidgin site to install it on Ubuntu. Hosted on SourceForge, Pidgin is licensed under the GNU General Public Licence (GPL).

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit