Pidgin IM client 2.9.0 closes security vulnerability
The Pidgin development team has announced the release of version 2.9.0 of its open source instant messenger application. This latest maintenance and security update addresses a potential denial-of-service (DoS) vulnerability caused by corrupt buddy icons. According to the developers, using a specially-crafted GIF image file as their buddy icon, a remote attacker could cause the application to be terminated due to excessive memory use.
Other changes in the update include "significantly improved performance" for larger IRC channels, sorting fixes for entries in the chat user list and updates for logging into ICQ. AIM and ICQ crashes on "some non-mainstream OSes" have also been fixed. All users are advised to upgrade.
More details about the update can be found in the change log. Pidgin 2.9.0 is available to download for Windows, Mac OS X and RHEL-based Linux distributions from the project's site. As Ubuntu ships with Pidgin, but does not typically update it after a release, it is necessary to refer to the Ubuntu specific install page on the Pidgin site to install it on Ubuntu. Hosted on SourceForge, Pidgin is licensed under the GNU General Public Licence (GPL).
- Remote denial of service from corrupt buddy icons, Pidgin security advisory.