An out-of heap-based buffer read flaw was found in the way OSCAR (Open System for CommunicAtion in Realtime) protocol plug-in of Pidgin, a Gtk+ based multiprotocol instant messaging client, processed authorization denied messages, containing non-UTF-8 sequences. If a rogue server sent a specially-crafted authorization denied message, it could lead to denial of service (Pidgin crash). Reference: http://pidgin.im/news/security/?id=57 Patch: http://developer.pidgin.im/viewmtn/revision/info/757272a78a8ca6027d518e614712c3399e34dda3
This issue affects the versions of the pidgin package, as shipped with Red Hat Enterprise Linux 4, 5, and 6. -- This issue affects the versions of the pidgin package, as shipped with Fedora release of 15 and 16.
Acknowledgements: Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Evgeny Boger as the original reporter.
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 766454]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1821 https://rhn.redhat.com/errata/RHSA-2011-1821.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1820 https://rhn.redhat.com/errata/RHSA-2011-1820.html
pidgin-2.10.1-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
pidgin-2.10.1-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.