Remote crashes being fixed in Pidgin 2.6.6

Mark Doliner mark at
Thu Feb 18 03:44:11 EST 2010

Released now.  Tarballs available at

Our pages that list these security problems have been updated:


On Tue, Feb 16, 2010 at 1:51 AM, Mark Doliner <mark at> wrote:
> Here's an update!
> * 3 separate security issues
> * Not yet public knowledge
> * Pidgin 2.6.6 has been created, but NOT YET RELEASED TO THE PUBLIC.
> I'll send the tarballs in separate emails to avoid making this email
> huge.
> * Patches to fix the issues are attached.  These are what went into
> 2.6.6.  They apply to 2.6.2 with just a little fuzz and offsets and
> should work fine.  Anything older will need manual intervention for at
> least one of the changes.  ALSO NOT YET PUBLIC
> * Embargo date is GMT 08:00:00am Feb 18 for all information, including
> the patches and the tarball
> * We'll release Pidgin 2.6.6 and push the changes to our code
> repository shortly after the embargo date
> 1. CVE-2010-0277 - "MSN SLP Remote Crash"
> This is the crash discovered by Fabian Yamaguchi and mentioned at
>, but I
> don't feel that there are enough published details about this for it
> to be considered public.  I do not know if there is potential for
> remote code execution.
> 2. CVE-2010-0420 - "Finch XMPP MUC Crash"
> Discovered by Sadrul Habib Chowdhury last week.  In an XMPP MUC, if
> someone changes the nick to '<br>' (using '/nick <br>' for example),
> then libpurple ends up having two users with username '\n' in the
> room, and finch crashes in this situation.  We do not believe there is
> a possibility of remote code execution.
> I believe this commit fixes the problem, and there is a patch attached
> to add an extra safety check to Finch:
> 3. CVE-2010-0423 - "Smiley Denial of Service"
> Pidgin becomes unresponsive and consumes lots of CPU when receiving an
> IM containing many smileys.  This is a remote denial of service
> attack, but is not exploitable in any other way.  It was reported to
> us by Andrea Barisani of ocert.  I did revise the previous patch.
> --Mark

More information about the Packagers mailing list