A denial of service flaw was found in the way MSN protocol plug-in of Pidgin, a Gtk+ based multiprotocol instant messaging client, performed sanitization of certain not UTF-8 encoded text prior its presentation. A remote attacker could send a specially-crafted not UTF-8 encoded text (for example via Offline Instant Message post), which once processed by the Pidgin client of the victim would lead to that Pidgin client abort. Upstream bug report: [1] http://developer.pidgin.im/ticket/14884 Upstream security page entry: [2] http://pidgin.im/news/security/?id=61 CVE request: [3] http://www.openwall.com/lists/oss-security/2012/03/14/2 Upstream patches: [4] http://developer.pidgin.im/viewmtn/revision/info/3053d6a37cc6d8774aba7607b992a4408216adcd [5] http://developer.pidgin.im/viewmtn/revision/info/ecabfaee8a1ca02e18ebadbb41cdcce19e78bc2e [6] http://developer.pidgin.im/viewmtn/revision/info/b1b8c222ab921963f43e83502b6c6e2e4489a8c4 [7] http://developer.pidgin.im/viewmtn/revision/info/fdb56683f2b5f88f7b388aaef6c53c810d19e374 [8] http://developer.pidgin.im/viewmtn/revision/info/f12c9f6a6c31bcd3512f162209285a88a86595ff
This issue affects the versions of the pidgin package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the pidgin package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 803299]
This was assigned the name CVE-2012-1178: http://www.openwall.com/lists/oss-security/2012/03/14/7
Statement: (none)
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:1102 https://rhn.redhat.com/errata/RHSA-2012-1102.html