Libpurple Yahoo Protocol "YMSG" null pointer reference Denial of Service Vulnerability

Release date:
Updated on:

Affected Systems:
Pidgin Libpurple 2.7.9
Pidgin Libpurple 2.7.8
Pidgin Libpurple 2.7.7
Pidgin Libpurple 2.7.6
Pidgin Libpurple 2.7.10
Pidgin Libpurple 2.7
Pidgin Libpurple 2.6.5
Pidgin Libpurple 2.6.4
Pidgin Libpurple 2.6.1
Pidgin Libpurple 2.6
Unaffected system:
Pidgin Libpurple 2.7.11
Description:
--------------------------------------------------------------------------------
Bugtraq id: 46837
Cve id: CVE-2011-1091

Libpurple is a library that provides network layer connections for most services in Adium.

The implementation of Libpurple has the Yahoo protocol "YMSG" null pointer reference Denial of Service (DoS) vulnerability. Remote attackers can exploit this vulnerability to cause the affected applications to crash and DOS legitimate users.

The Yahoo protocol plug-in Libpurple versions 2.6.0 to 2.7.10 does not properly handle malformed YMSG packets, which can cause NULL pointer reference and application crash.

<* Source: Marius Wachtler

Link: http://www.pidgin.im/news/security? Id = 51
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Pidgin
------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://pidgin.im/pidgin/home/