Mark Doliner, upstream pidgin/libpurple developer, discovered a NULL pointer dereference flaw in the way libpurple handled certain malformed X-Status messages in ICQ/Oscar protocol. This flaw could allow remote attacker to crash victim's instant messenger application using libpurple such as pidgin. This issue only affected pidgin/libpurple versions 2.7.x and was fixed in upstream version 2.7.2. Upstream security advisory: http://pidgin.im/news/security/?id=47 Upstream commit: http://developer.pidgin.im/viewmtn/revision/info/8e8ff246492e45af8f8d0808296d6f2906794dc0 Statement: Not vulnerable. This issue did not affect the versions of pidgin as shipped with Red Hat Enterprise Linux 3, 4, or 5.
pidgin-2.7.2-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
pidgin-2.7.2-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.