Remote Denial of Service Vulnerability Patched in Pidgin

The Pidgin development team has released version 2.0.9 of the popular instant messaging application in order to address a remotely-exploitable denial-of-service vulnerability.

Identified as CVE-2011-2485, the vulnerability was discovered by Mark Doliner and allows an attacker to crash a user's application by simply setting a specially-crafted GIF image as his buddy icon.

"It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines.

"A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure, possibly having huge width and height, which could lead to the application being terminated due excessive memory use," the official advisory explains.

Vulnerability research vendor Secunia rates this vulnerability as "not critical," but users are nevertheless encouraged to update.

In addition to the security patch this release also contains bug fixes and other performance enhancements. For example, a bug in "Conversation -> Add" on AIM and MSN was resolved and so was the sorting in the chat user list.

The performance of the program when dealing with large Internet Relay Chat (IRC) channels has been significantly improved and the new version also contains fixes for issues in third-party components and plug-ins.

An ICQ authentication problem and an improper port use issue for TCP relay creation in libpurple were addressed, as well as some crashes on non-mainstream OSes when attempting to printf("%s", NULL) and a compilation problem with the Evolution Integration plugin.

Pidgin is an open source cross-platform instant messaging client based on the libpurple library. It has supports for most instant messaging protocols and is distributed under the GPL license.

Pidgin for Windows can be downloaded from here.
Pidgin for Linux can be downloaded from here.