CVE-2009-3085

Published: 8 September 2009

The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not properly handle an error IQ stanza during an attempted fetch of a custom smiley, which allows remote attackers to cause a denial of service (application crash) via XHTML-IM content with cid: images.

Notes

Author	Note
mdeslaur	code in hardy is different

Priority

Status

Package	Release	Status
pidgin Launchpad, Ubuntu, Debian	dapper	Does not exist
	hardy	Not vulnerable (code not present)
	intrepid	Released (1:2.5.2-0ubuntu1.6)
	jaunty	Released (1:2.5.5-1ubuntu8.5)
	karmic	Not vulnerable (1:2.6.2-1ubuntu2)
	upstream	Released (2.6.2)
	Patches: upstream: http://developer.pidgin.im/viewmtn/revision/info/fd5955618eddcd84d522b30ff11102f9601f38c8

References

http://www.pidgin.im/news/security/index.php?id=37
https://ubuntu.com/security/notices/USN-886-1
https://www.cve.org/CVERecord?id=CVE-2009-3085
NVD
Launchpad
Debian

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›