A NULL pointer dereference flaw was found in the Pidgin MSN DirectConnect protocol implementation, by processing certain P2P messages. A remote, authenticated user could use this flaw to cause denial of service (Pidgin crash). Acknowledgements: Red Hat would like to thank the Pidgin project for reporting this issue. Upstream acknowledges Stu Tomlinson as the original reporter.
This issue did NOT affect the versions of the Pidgin package, as shipped with Red Hat Enterprise Linux 4, 5, or 6. -- This issue affects the versions of the Pidgin package, as shipped with Fedora release of 13 and 14.
Public via: http://pidgin.im/news/security/?id=49
CVE Request: http://www.openwall.com/lists/oss-security/2010/12/27/1
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 665856]
Statement: This issue did not affect the versions of pidgin package as shipped with Red Hat Enterprise Linux 4, 5, and 6 as this issue is specific to versions of libpurple from 2.7.6 up to 2.7.8.
This has been assigned CVE-2010-4528
This was fixed in Fedora via pidgin-2.7.9-1.fc13 / fc14 / fc15: * Mon Dec 27 2010 Stu Tomlinson <stu@...> 2.7.9-1 - 2.7.9, includes security/DoS fix in the MSN protocol (#665856)