Pidgin update addresses emoticon vulnerability
The Pidgin developers have released version 2.6.5 of their open source instant messenger application. The update addresses a directory traversal vulnerability in the libpurple MSN protocol implementation used by the the multi-platform instant messaging client.
The vulnerability was originally demonstrated at the end of December as part of a presentation by security researcher Fabian Yamaguchi on how small flaws can be utilised to penetrate a network at the 26th Chaos Communication Congress (26C3). According to Yamaguchi, the flaw allows a remote attacker to download arbitrary files from a victim's computer via a MSN emoticon download request. All versions up to and including Pidgin 2.6.4 are reportedly vulnerable. The developers advise all users to update to the latest release.
- MSN file download vulnerability, security advisory from the Pidgin developers.
- MSN custom smiley request directory traversal file disclosure, security advisory from Red Hat.
- 26C3: Network design weaknesses, a report from The H.