In association with heise online

22 May 2009, 09:52

Several vulnerabilities closed in Pidgin 2.5.6

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Version 2.5.6 of the cross-platform open source instant messaging client Pidgin, formerly named Gaim, fixes several security vulnerabilities. The vulnerabilities include two buffer overflows caused by MSN malformed SLP messages and the XMPP SOCKS5 server not correctly checking the bounds of a buffer when starting an outgoing connection for file transfers.

The MSN SLP buffer overflow should have actually been fixed since the middle of last year. According to the developer, the previous fix was deemed incomplete as the size check didn't work properly and caused an integer overflow, rendering the check useless. Both buffer overflows could be used to inject and remotely execute code.

In addition, the XMPP and Sametime protocol plug-ins were vulnerable to a remote denial of service attack that could potentially lead to a crash. Another remote denial of service was possible when receiving a specific QQ packet. The new release also includes several bug fixes and other improvements.

More details about the release can be found in the Change Log. All users are advised to update to the latest version.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit