Denial of Service vulnerability in Pidgin

Mark Doliner mark at
Wed Jun 22 04:05:18 EDT 2011

Please do not publicly release this information or these files until
after the embargo date!

I've built Pidgin 2.9.0 with my fix and a few other bug fixes, mostly
for regression and crash bugs.  The full list of changes is below. The
files are at  I'm also
attaching a slightly updated patch. I think the differences between
this one and the first one are basically cosmetic.  The changes have
not been pushed to our public code repository.

The release is currently targeted for Thursday 10pm US Pacific time /
Friday 5am UTC, but it's possible this will be postponed if Gnome/Red
Hat/whoever wants to do a coordinated disclosure for a later date.  If
that happens, I'll let you know.  I also do not have a CVE yet--I'm
hoping to hear back from Jan about that.


The changes in 2.9.0 are:
* Fix a potential remote denial-of-service bug related to displaying
  buddy icons.
* Significantly improved performance of larger IRC channels (regression
  introduced in 2.8.0).
* Fix Conversation->Add on AIM and MSN.
* Entries in the chat user list are sorted properly again.  This was
  inadvertenly broken in 2.8.0.

* Fix logging in to ICQ.

* media: Actually use the specified TCP port from the TURN configuration to
  create a TCP relay candidate.

AIM and ICQ:
* Fix crashes on some non-mainstream OSes when attempting to
  printf("%s", NULL).  (Clemens Huebner) (#14297)

* The Evolution Integration plugin compiles again.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_gdkpixbuf_gerror-2.diff
Type: text/x-patch
Size: 31973 bytes
Desc: not available
URL: <>

More information about the Packagers mailing list