Pidgin 2.7.0 addresses emoticon vulnerability
The Pidgin developers have announced the release of version 2.7.0 of their open source instant messenger application. According to Pidgin developer John Bailey, the latest major release includes a number of bug fixes and new features and addresses a security issue.
Pidgin 2.7.0 features a new user interface (UI) for sending attentions, such as buzz or nudge, on supported protocols, the addition of a menu set moot for XMPP and ICQ accounts, and support for IPv6 has been added to Bonjour, formerly known as Rendezvous. Support for custom ICQ status icons known as X-Status, and sending and receiving HTML-formatted messages in ICQ have also been added. Other changes include fixes for AIM, ICQ, and Yahoo! JAPAN login, and updates to the Message Timestamp Formats plug-in.
A denial of service (DoS) issue in libpurple's MSN protocol plug-in related to emoticons has also been addressed that could have allowed an attacker to remotely crash a users client. The vulnerability does not, however, allow for the execution of arbitrary code. This isn't the first time MSN emoticons have lead to security problems in Pidgin. The previous 2.6.6 release from February addressed two MSN related exploits. The developers note that support for version 9 of the MSN protocol has been removed as it is no longer supported on the servers and advise all users to upgrade to the latest release as soon as possible.
More details about the release can be found in the change log. Pidgin 2.7.0 is available to download for Windows, Mac OS X and Linux from the project's web site requires GLib 2.12.0 and GTK+ 2.10.0 or later. Pidgin is released under the GNU General Public License (GPL).
- MSN emoticon denial of service, Pidgin security advisory.