14 DAY TRIAL // Several security issues have been addressed in version 2.10.0 of the Pidgin instant messaging application, which could be exploited to trigger a denial of service condition or compromise the system.
The vulnerability that can have the most serious impact stems from the IM client previously executing files when users click on "file://" URIs.
This can be exploited to run malicious code by tricking people to click on URIs that point to file hosted on network shares. However, this only affects Windows systems.
Another patched vulnerability discovered by Djego Ibanez, QA lead at Gamistry, and identified as CVE-2011-2943, allows attackers to execute remote denial of service attacks against Pidgin.
"Certain characters in the nicknames of IRC users can trigger a null pointer dereference in the IRC protocol plugin's handling of responses to WHO requests," the developers explain.
Libpurple is the core IM library used by Pidgin and several other IM clients, such as Meebo or Adium. The library was updated to better validate data received from the IRC server.
The final vulnerability addressed in this Pidgin version can also lead to crashing and stems from the incorrect handling of HTTP 100 responses received over the MSN protocol.
"This can cause the application to attempt to access memory that it does not have access to," the developers explain. Fortunately, the HTTP connection method is off by default and can only be exploited by a server.
Previously known as Gaim, Pidgin is an open source cross-platform instant messaging client using a GTK+-based front-end on top of the libpurple library. It supports most instant messaging protocols and is distributed under the GPL license.
Pidgin for Windows can be downloaded from here. Pidgin for Linux can be downloaded from here.