A NULL pointer dereference flaw was found in the Pidgin MSN
DirectConnect protocol implementation, by processing certain
P2P messages. A remote, authenticated user could use this flaw
to cause denial of service (Pidgin crash).
Red Hat would like to thank the Pidgin project for reporting this issue.
Upstream acknowledges Stu Tomlinson as the original reporter.
This issue did NOT affect the versions of the Pidgin package, as shipped
with Red Hat Enterprise Linux 4, 5, or 6.
This issue affects the versions of the Pidgin package, as shipped with
Fedora release of 13 and 14.
Created pidgin tracking bugs for this issue
Affects: fedora-all [bug 665856]
This issue did not affect the versions of pidgin package as shipped with
Red Hat Enterprise Linux 4, 5, and 6 as this issue is specific to versions
of libpurple from 2.7.6 up to 2.7.8.
This has been assigned CVE-2010-4528
This was fixed in Fedora via pidgin-2.7.9-1.fc13 / fc14 / fc15:
* Mon Dec 27 2010 Stu Tomlinson <stu@...> 2.7.9-1
- 2.7.9, includes security/DoS fix in the MSN protocol (#665856)