Multiple NULL pointer dereference flaws were found in the way Yahoo protocol plug-in of the Pidgin instant messaging client handled malformed YMSG packets (SMS messages and notification packets). A remote, authenticated user could use this flaw to cause denial of service (Pidgin crash) via specially-crafted notification message. The SMS messages handling issue is exploitable only via specially-crafted SMS message, sent from remote, malicious Yahoo server. Acknowledgements: Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Marius Wachtler as the original reporter.
This issue affects the versions of the pidgin package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue affects the versions of the pidgin package, as shipped with Fedora release of 13 and 14.
The CVE identifier of CVE-2011-1091 has been assigned to these issues.
public via: http://pidgin.im/news/security/?id=51
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 684120]
Statement: This issue affects the versions of pidgin package as shipped with Red Hat Enterprise Linux 4, 5 and 6. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0616 https://rhn.redhat.com/errata/RHSA-2011-0616.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1371 https://rhn.redhat.com/errata/RHSA-2011-1371.html