Remote crashes being fixed in Pidgin 2.6.6

Mark Doliner mark at
Tue Feb 16 04:51:49 EST 2010

Here's an update!
* 3 separate security issues
* Not yet public knowledge
* Pidgin 2.6.6 has been created, but NOT YET RELEASED TO THE PUBLIC.
I'll send the tarballs in separate emails to avoid making this email
* Patches to fix the issues are attached.  These are what went into
2.6.6.  They apply to 2.6.2 with just a little fuzz and offsets and
should work fine.  Anything older will need manual intervention for at
least one of the changes.  ALSO NOT YET PUBLIC
* Embargo date is GMT 08:00:00am Feb 18 for all information, including
the patches and the tarball
* We'll release Pidgin 2.6.6 and push the changes to our code
repository shortly after the embargo date

1. CVE-2010-0277 - "MSN SLP Remote Crash"

This is the crash discovered by Fabian Yamaguchi and mentioned at, but I
don't feel that there are enough published details about this for it
to be considered public.  I do not know if there is potential for
remote code execution.

2. CVE-2010-0420 - "Finch XMPP MUC Crash"

Discovered by Sadrul Habib Chowdhury last week.  In an XMPP MUC, if
someone changes the nick to '<br>' (using '/nick <br>' for example),
then libpurple ends up having two users with username '\n' in the
room, and finch crashes in this situation.  We do not believe there is
a possibility of remote code execution.

I believe this commit fixes the problem, and there is a patch attached
to add an extra safety check to Finch:

3. CVE-2010-0423 - "Smiley Denial of Service"

Pidgin becomes unresponsive and consumes lots of CPU when receiving an
IM containing many smileys.  This is a remote denial of service
attack, but is not exploitable in any other way.  It was reported to
us by Andrea Barisani of ocert.  I did revise the previous patch.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2010-0277.diff
Type: text/x-patch
Size: 3923 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2010-0420.diff
Type: text/x-patch
Size: 630 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2010-0423.diff
Type: text/x-patch
Size: 4362 bytes
Desc: not available
URL: <>

More information about the Packagers mailing list