Rapid7 Vulnerability & Exploit Database

RHSA-2009:1453: pidgin security update

Back to Search

RHSA-2009:1453: pidgin security update



Pidgin is an instant messaging program which can log in to multipleaccounts on multiple instant messaging networks simultaneously. Info/Query(IQ) is an Extensible Messaging and Presence Protocol (XMPP) specificrequest-response mechanism.A NULL pointer dereference flaw was found in the way the Pidgin XMPPprotocol plug-in processes IQ error responses when trying to fetch a customsmiley. A remote client could send a specially-crafted IQ error responsethat would crash Pidgin. (CVE-2009-3085)A NULL pointer dereference flaw was found in the way the Pidgin IRCprotocol plug-in handles IRC topics. A malicious IRC server could send aspecially-crafted IRC TOPIC message, which once received by Pidgin, wouldlead to a denial of service (Pidgin crash). (CVE-2009-2703)It was discovered that, when connecting to certain, very old Jabber serversvia XMPP, Pidgin may ignore the "Require SSL/TLS" setting. In thesesituations, a non-encrypted connection is established rather than theconnection failing, causing the user to believe they are using an encryptedconnection when they are not, leading to sensitive information disclosure(session sniffing). (CVE-2009-3026)A NULL pointer dereference flaw was found in the way the Pidgin MSNprotocol plug-in handles improper MSNSLP invitations. A remote attackercould send a specially-crafted MSNSLP invitation request, which onceaccepted by a valid Pidgin user, would lead to a denial of service (Pidgincrash). (CVE-2009-3083)These packages upgrade Pidgin to version 2.6.2. Refer to the Pidgin releasenotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLogAll Pidgin users should upgrade to these updated packages, which correctthese issues. Pidgin must be restarted for this update to take effect.


  • redhat-upgrade-finch
  • redhat-upgrade-finch-devel
  • redhat-upgrade-libpurple
  • redhat-upgrade-libpurple-devel
  • redhat-upgrade-libpurple-perl
  • redhat-upgrade-libpurple-tcl
  • redhat-upgrade-pidgin
  • redhat-upgrade-pidgin-devel
  • redhat-upgrade-pidgin-perl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center