A denial service flaw was found in the way XMPP protocol plug-in of Pidgin, a Gtk+ based multiprotocol instant messaging client, performed cleanup for certain SOCKS5 connections. A remote attacker, being present on the buddy list of the victim, and able to trick the victim into accepting of a serie of specially-crafted XMPP file transfer requests, could use this flaw to cause pidgin executable crash. Upstream advisory: [1] http://www.pidgin.im/news/security/?id=62 Relevant upstream patch: [2] http://developer.pidgin.im/viewmtn/revision/info/d991ff6d558d185527a09eae0378edb3fc7057a5
This issue affects the versions of the pidgin package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the pidgin package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 819454]
The duplicate CVE identifier of CVE-2012-2323 has been also assigned to this issue by mistake: http://www.openwall.com/lists/oss-security/2012/05/07/12 But CVE-2012-2214 one should be used when referencing to this deficiency (CVE-2012-2323 will rejected as duplicate of CVE-2012-2214).
Upstream v2.10.4 announcement: http://pidgin.im/pipermail/devel/2012-May/010756.html and Changelog: http://developer.pidgin.im/wiki/ChangeLog
Statement: Not Vulnerable. This issue does not affect the version of pidgin as shipped with Red Hat Enterprise Linux 5 and 6.