Pidgin Security Advisories

This page lists all potential security vulnerabilities discovered since August 1st, 2004 in Pidgin (or Gaim), Finch, libpurple, or any official plugins included with those programs.

Title CVE Name Date Fixed In
Potential information leak from XMPP CVE-2014-3698 2014-10-22 2.10.10
Malicious smiley themes could alter arbitrary files CVE-2014-3697 2014-10-22 2.10.10
Remote crash parsing malformed Groupwise message CVE-2014-3696 2014-10-22 2.10.10
Remote crash parsing malformed MXit emoticon CVE-2014-3695 2014-10-22 2.10.10
Insufficient SSL certificate validation CVE-2014-3694 2014-10-22 2.10.10
Remotely triggerable crash in IRC argument parsing CVE-2014-0020 2014-01-28 2.10.8
Buffer overflow in SIMPLE header parsing CVE-2013-6490 2014-01-28 2.10.8
Buffer overflow in MXit emoticon parsing CVE-2013-6489 2014-01-28 2.10.8
Buffer overflow in Gadu-Gadu HTTP parsing CVE-2013-6487 2014-01-28 2.10.8
Pidgin uses clickable links to untrusted executables CVE-2013-6486 2014-01-28 2.10.8
Buffer overflow parsing chunked HTTP responses CVE-2013-6485 2014-01-28 2.10.8
Crash reading response from STUN server CVE-2013-6484 2014-01-28 2.10.8
XMPP doesn't verify 'from' on some iq replies CVE-2013-6483 2014-01-28 2.10.8
NULL pointer dereference parsing SOAP data in MSN CVE-2013-6482 2014-01-28 2.10.8
NULL pointer dereference parsing OIM data in MSN CVE-2013-6482 2014-01-28 2.10.8
NULL pointer dereference parsing headers in MSN CVE-2013-6482 2014-01-28 2.10.8
Remote crash reading Yahoo! P2P message CVE-2013-6481 2014-01-28 2.10.8
Remote crash parsing HTTP responses CVE-2013-6479 2014-01-28 2.10.8
Crash when hovering pointer over a long URL CVE-2013-6478 2014-01-28 2.10.8
Crash handling bad XMPP timestamp CVE-2013-6477 2014-01-28 2.10.8
Yahoo! remote crash from incorrect character encoding CVE-2012-6152 2014-01-28 2.10.8
Windows Pidgin crash receiving some characters N/A 2014-01-28 2.10.8
Crash when receiving a UPnP response with abnormally long values CVE-2013-0274 2013-02-13 2.10.7
Sametime crash with long user IDs CVE-2013-0273 2013-02-13 2.10.7
MXit buffer overflow reading data from network CVE-2013-0272 2013-02-13 2.10.7
Remote MXit user could specify local file path CVE-2013-0271 2013-02-13 2.10.7
MXit buffer overflow CVE-2012-3374 2012-07-05 2.10.5
Possible MSN remote crash CVE-2012-2318 2012-05-06 2.10.4
XMPP remote crash CVE-2012-2214 2012-05-06 2.10.4
Possible MSN remote crash CVE-2012-1178 2012-01-17 2.10.2
XMPP remote crash CVE-2011-4939 2011-07-08 2.10.2
SILC remote crash CVE-2011-4603 2011-09-29 2.10.1
XMPP remote crash CVE-2011-4602 2011-12-10 2.10.1
AIM and ICQ remote crash CVE-2011-4601 2011-10-20 2.10.1
SILC remote crash CVE-2011-3594 2011-09-29 2.10.1
Pidgin uses clickable links to untrusted executables CVE-2011-3185 2011-08-20 2.10.0
Remote crash in MSN protocol plugin CVE-2011-3184 2011-08-20 2.10.0
Remote crash in IRC protocol plugin CVE-2011-2943 2011-08-20 2.10.0
Remote denial of service from corrupt buddy icons CVE-2011-2485 2011-06-23 2.9.0
Remote denial of service in Yahoo protocol plugin CVE-2011-1091 2011-03-10 2.7.11
Cipher API information disclosure N/A 2011-02-06 2.7.10
MSN direct connection denial of service CVE-2010-4528 2010-12-26 2.7.9
purple_base64_decode() remote crashes CVE-2010-3711 2010-10-20 2.7.4
ICQ X-Status denial of service CVE-2010-2528 2010-07-21 2.7.2
MSN emoticon denial of service CVE-2010-1624 2010-05-12 2.7.0
Smiley denial of service CVE-2010-0423 2010-02-18 2.6.6
Finch XMPP MUC crash CVE-2010-0420 2010-02-18 2.6.6
MSN malformed SLP message crash CVE-2010-0277 2010-02-18 2.6.6
MSN file download vulnerability CVE-2010-0013 2010-01-08 2.6.5
ICQ and maybe AIM remote crash CVE-2009-3615 2009-10-16 2.6.3
IRC crash from malicious server CVE-2009-2703 2009-09-03 2.6.2
Older