Pardus: 2010-116: Pidgin: Denial of Service
Posted by Benjamin D. Thomas   
A flaw has been fixed in Pidgin, which can allow remote attackers to cause denial of service via X-Status message.
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-116           security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-08-12
  Severity: 3
      Type: Local
------------------------------------------------------------------------

Summary
======
A flaw has been fixed in Pidgin, which can allow  remote  attackers  to
cause denial of service via X-Status message.


Description
==========
CVE-2010-2528:

The clientautoresp function in  family_icbm.c  in  the  oscar  protocol
plugin in libpurple in Pidgin before 2.7.2 allows remote  authenticated
users to cause a  denial  of  service  (NULL  pointer  dereference  and
application crash) via an X-Status message that lacks the expected  end
tag for a (1) desc or (2) title element.


Affected packages:

  Pardus 2009:
    pidgin, all before 2.7.2-40-14


Resolution
=========
There are update(s) for pidgin. You can update them via Package Manager
or with a single command from console:

    pisi up pidgin

References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id948

------------------------------------------------------------------------