Denial of Service vulnerability in Pidgin

Jan Lieskovsky jlieskov at
Wed Jun 22 12:59:35 EDT 2011

Hello, Mark, packagers, 

----- Original Message -----
From: "Mark Doliner" <mark at>
To: packagers at
Sent: Wednesday, June 22, 2011 10:05:18 AM
Subject: Re: Denial of Service vulnerability in Pidgin

Please do not publicly release this information or these files until
after the embargo date!

I've built Pidgin 2.9.0 with my fix and a few other bug fixes, mostly
for regression and crash bugs.  The full list of changes is below. The
files are at  I'm also
attaching a slightly updated patch. I think the differences between
this one and the first one are basically cosmetic.  The changes have
not been pushed to our public code repository.

The release is currently targeted for Thursday 10pm US Pacific time /
Friday 5am UTC, but it's possible this will be postponed if Gnome/Red
Hat/whoever wants to do a coordinated disclosure for a later date.  If
that happens, I'll let you know.  I also do not have a CVE yet--I'm
hoping to hear back from Jan about that.

We have decided to allocate a CVE identifier for underlying gdk-pixbuf
issue. The CVE identifier of CVE-2011-2485 has been assigned to that
gdk-pixbuf deficiency. Thus Pidgin as one of the applications affected
by this problem would reference this identifier.

Regarding the coordinated release date, Gnome upstream is OK with
proposed Thursday 10:00 PM US Pacific Time, but they would like
to commit to their repositories ~2 hours sooner (so you could already
reference the commit / CVE id in particular Pidgin upstream security
advisory). Would this work for you?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team


The changes in 2.9.0 are:
* Fix a potential remote denial-of-service bug related to displaying
  buddy icons.
* Significantly improved performance of larger IRC channels (regression
  introduced in 2.8.0).
* Fix Conversation->Add on AIM and MSN.
* Entries in the chat user list are sorted properly again.  This was
  inadvertenly broken in 2.8.0.

* Fix logging in to ICQ.

* media: Actually use the specified TCP port from the TURN configuration to
  create a TCP relay candidate.

AIM and ICQ:
* Fix crashes on some non-mainstream OSes when attempting to
  printf("%s", NULL).  (Clemens Huebner) (#14297)

* The Evolution Integration plugin compiles again.

Packagers mailing list
Packagers at

More information about the Packagers mailing list