Pidgin update addresses emoticon vulnerability
The Pidgin developers have released version 2.6.5 of their open source instant messenger application. The update addresses a directory traversal vulnerability in the libpurple MSN protocol implementation used by the the multi-platform instant messaging client.
The vulnerability was originally demonstrated at the end of December as part of a presentation by security researcher Fabian Yamaguchi on how small flaws can be utilised to penetrate a network at the 26th Chaos Communication Congress (26C3). According to Yamaguchi, the flaw allows a remote attacker to download arbitrary files from a victim's computer via a MSN emoticon download request. All versions up to and including Pidgin 2.6.4 are reportedly vulnerable. The developers advise all users to update to the latest release.
More details about the release can be found in the change log. Pidgin 2.6.5 is available to download for Windows, Mac OS X and Linux and is released under the GNU General Public License (GPL).
See also:
- MSN file download vulnerability, security advisory from the Pidgin developers.
- MSN custom smiley request directory traversal file disclosure, security advisory from Red Hat.
- 26C3: Network design weaknesses, a report from The H.
(crve)