Mark Doliner, upstream pidgin/libpurple developer, discovered a NULL pointer dereference flaw in the way libpurple handled certain malformed X-Status messages in ICQ/Oscar protocol. This flaw could allow remote attacker to crash victim's instant messenger application using libpurple such as pidgin.
This issue only affected pidgin/libpurple versions 2.7.x and was fixed in upstream version 2.7.2.
Upstream security advisory:
Not vulnerable. This issue did not affect the versions of pidgin as shipped with Red Hat Enterprise Linux 3, 4, or 5.
pidgin-2.7.2-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
pidgin-2.7.2-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.