Pidgin IM client update fixes buffer overflow vulnerability
A new update, version 2.10.5, to the open source Pidgin instant messaging program has been released, closing an important security hole. Previous versions of Pidgin contained a vulnerability, discovered by Ulf Härnhammar, in the MXit component, where parsing incoming messages with inline images led to a buffer overflow.
The developers say that this could have been exploited by an attacker to execute arbitrary code on a victim's system by using a specially crafted message. Versions up to and including 2.10.4 are affected. Upgrading to Pidgin 2.10.5 fixes the problem; all users are advised to upgrade. Other bugs, including an issue that caused the application to crash, have also been fixed.
A full list of fixes can be found in the change log. Pidgin 2.10.5 is available to download from the project's site. Binaries and source code for Pidgin are hosted on SourceForge and are licensed under the GPLv2.
Update: A day after publishing Pidgin 2.10.5, the developers have released version 2.10.6 to fix a problem that required users to triple-click a conversation window to open it from the buddy list.
- MXit buffer overflow, Pidgin security advisory.