First published: Fri May 22 2009(Updated: )
Pidgin is an instant messaging program which can log in to multiple<br>accounts on multiple instant messaging networks simultaneously.<br>A buffer overflow flaw was found in the way Pidgin initiates file transfers<br>when using the Extensible Messaging and Presence Protocol (XMPP). If a<br>Pidgin client initiates a file transfer, and the remote target sends a<br>malformed response, it could cause Pidgin to crash or, potentially, execute<br>arbitrary code with the permissions of the user running Pidgin. This flaw<br>only affects accounts using XMPP, such as Jabber and Google Talk.<br>(CVE-2009-1373)<br>It was discovered that on 32-bit platforms, the Red Hat Security Advisory<br>RHSA-2008:0584 provided an incomplete fix for the integer overflow flaw<br>affecting Pidgin's MSN protocol handler. If a Pidgin client receives a<br>specially-crafted MSN message, it may be possible to execute arbitrary code<br>with the permissions of the user running Pidgin. (CVE-2009-1376)<br>Note: By default, when using an MSN account, only users on your buddy list<br>can send you messages. This prevents arbitrary MSN users from exploiting<br>this flaw.<br>All Pidgin users should upgrade to this update package, which contains<br>backported patches to resolve these issues. Pidgin must be restarted for<br>this update to take effect.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.