CVE-2011-4601

Published: 24 December 2011

family_feedbag.c in the oscar protocol plugin in libpurple in Pidgin before 2.10.1 does not perform the expected UTF-8 validation on message data, which allows remote attackers to cause a denial of service (application crash) via a crafted (1) AIM or (2) ICQ message associated with buddy-list addition.

Priority

Status

Package	Release	Status
pidgin Launchpad, Ubuntu, Debian	hardy	Ignored (end of life)
	lucid	Released (1:2.6.6-1ubuntu4.5)
	maverick	Ignored (end of life)
	natty	Released (1:2.7.11-1ubuntu2.2)
	oneiric	Released (1:2.10.0-0ubuntu2.1)
	precise	Not vulnerable (1:2.10.2-1ubuntu1)
	upstream	Needs triage
	Patches: upstream: http://hg.pidgin.im/pidgin/main/rev/8431da66063b vendor: https://rhn.redhat.com/errata/RHSA-2011-1821.html

References

http://www.pidgin.im/news/security/?id=57
https://ubuntu.com/security/notices/USN-1500-1
https://www.cve.org/CVERecord?id=CVE-2011-4601
NVD
Launchpad
Debian

Bugs

http://developer.pidgin.im/ticket/14682
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/958208

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›