Several vulnerabilities closed in Pidgin 2.5.6
Version 2.5.6 of the cross-platform open source instant messaging client Pidgin, formerly named Gaim, fixes several security vulnerabilities. The vulnerabilities include two buffer overflows caused by MSN malformed SLP messages and the XMPP SOCKS5 server not correctly checking the bounds of a buffer when starting an outgoing connection for file transfers.
The MSN SLP buffer overflow should have actually been fixed since the middle of last year. According to the developer, the previous fix was deemed incomplete as the size check didn't work properly and caused an integer overflow, rendering the check useless. Both buffer overflows could be used to inject and remotely execute code.
In addition, the XMPP and Sametime protocol plug-ins were vulnerable to a remote denial of service attack that could potentially lead to a crash. Another remote denial of service was possible when receiving a specific QQ packet. The new release also includes several bug fixes and other improvements.
- Pidgin Security Advisories, Overview of Pidgin vulnerabilities.