Bug 2449948 (CVE-2019-25544)

Summary: CVE-2019-25544 Pidgin: Pidgin: Denial of Service via excessively long username
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jskarvad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Pidgin. Local attackers can exploit this denial of service vulnerability by providing an excessively long username string during account creation. This can cause the application to crash when joining a chat, leading to the application becoming unavailable.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2450324, 2450325    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-21 13:01:43 UTC 
Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when joining a chat, causing the application to become unavailable.
Comment 2 Jaroslav Škarvada 2026-04-01 10:51:59 UTC 
Isn't it for pidgin <= 2.13.0? IMHO there is everywhere (fedora-42 - 45, EPEL-9) pidgin-2.14.
Comment 3 Jaroslav Škarvada 2026-04-01 11:21:32 UTC 
IMHO pidgin <= 2.13.0 is in RHEL-7, RHEL-8
Comment 4 Jaroslav Škarvada 2026-04-01 11:29:30 UTC 
I wasn't able to reproduce with pidgin-2.14.4, nor with pidgin-2.10.11-9.el7. I tried with the Bonjour protocol. Could you provide correct reproducer?