Pidgin IM client 2.10.0 closes holes
Version 2.10.0 of Pidgin is now available to download. This latest maintenance and security update includes a number of bug fixes and addresses three vulnerabilities in the open source instant messenger (IM) application.
A bug in the libpurple library, used by Pidgin and other IM clients such as Adium and Meebo, that could lead Pidgin to crash on some operating systems has been fixed. According to the developers, the problem concerned certain characters in IRC user nicknames that could lead to a null pointer problem in the IRC protocol plugin. Clients based on version 2.8.0 through 2.9.0 libpurple are affected.
The update also fixes a problem in the MSN protocol plugin that could cause the application to try to access memory that it should not. The developers note that the vulnerability only affects users that enable the HTTP connection method, which is disabled by default, and that they "believe remote code execution is not possible".
In the Windows builds, when users click on a file:// URI received in an IM, previous versions of Pidgin would attempt to execute the file. This could be dangerous if, for example, it led to a malicious file on a network share. Instead, the new version now opens a file browser at the file's location.
Further information about the update, including a full list of bug fixes, can be found in the change log. Pidgin 2.10.0 is available to download for Windows, Mac OS X and Linux; as Ubuntu ships with Pidgin, but does not typically update it after a release, users should refer to the Ubuntu specific install page on the Pidgin site to install it on Ubuntu. Hosted on SourceForge, Pidgin is licensed under the GNU General Public Licence (GPL).
- Remote crash in IRC protocol plugin, Pidgin security advisory.
- Remote crash in MSN protocol plugin, Pidgin security advisory.
- Pidgin uses clickable links to untrusted executables, Pidgin security advisory.