An improper input validation flaw was found in the way MSN protocol plug-in of Pidgin, a Gtk+ based multiprotocol instant messaging client, performed parsing of MSN message payload containing certain characters. If a remote server provided a specially-crafted MSN notification message or remote attacker, being present on the buddy list of the victim, provided a specially-crafted MSN offline instant message, it could lead to pidgin executable crash. Upstream advisory: [1] http://www.pidgin.im/news/security/?id=63 Relevant upstream patch: [2] http://developer.pidgin.im/viewmtn/revision/info/94cbd5a68ee237c970d8bd6d9d53106f1b9627ad CVE Request: [3] http://www.openwall.com/lists/oss-security/2012/05/07/1
This issue affects the versions of the pidgin package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the pidgin package, as shipped with Fedora release of 15 and 16. Please schedule an update.
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 819454]
The CVE identifier of CVE-2012-2318 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/05/07/7
Upstream v2.10.4 announcement: http://pidgin.im/pipermail/devel/2012-May/010756.html and Changelog: http://developer.pidgin.im/wiki/ChangeLog
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:1102 https://rhn.redhat.com/errata/RHSA-2012-1102.html