Advisories

This page lists all potential security vulnerabilities discovered since August 1st, 2004 in Pidgin (or Gaim), Finch, libpurple, or any official plugins included with those programs.

2021-02-15

Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability

Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability

Pidgin MXIT get_utf8_string Code Execution Vulnerability

Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability

Pidgin MXIT read stage 0x3 Code Execution Vulnerability

Pidgin MXIT MultiMX Message Code Execution Vulnerability

Pidgin MXIT Contact Mood Denial of Service Vulnerability

Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability

Pidgin MXIT Extended Profiles Code Execution Vulnerability

Pidgin MXIT Custom Resource Denial of Service Vulnerability

Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability

Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities

Pidgin MXIT Avatar Length Memory Disclosure Vulnerability

Pidgin MXIT Table Command Denial of Service Vulnerability

Pidgin MXIT Markup Command Denial of Service Vulnerability

X.509 Certificates Improperly Imported

ICQ and maybe AIM remote crash

XMPP custom smiley parsing bug

MSN handwritten message crash

MSN partial SLP invite crash

XMPP may not enforce TLS

Yahoo IM parsing crash

IRC crash from malicious server

MSN overflow parsing SLP messages

ICQ parser excessive memory allocation

MSN malformed SLP message overflow

Remote DoS in multiple protocols

QQ remote DoS

XMPP file transfer buffer overflow

Potential information leak from XMPP

Malicious smiley themes could alter arbitrary files

Remote crash parsing malformed Groupwise message

Remote crash parsing malformed MXit emoticon

Insufficient SSL certificate validation

Remotely triggerable crash in IRC argument parsing

Buffer overflow in MXit emoticon parsing

Buffer overflow in Gadu-Gadu HTTP parsing

Pidgin uses clickable links to untrusted executables

Buffer overflow parsing chunked HTTP responses

Crash reading response from STUN server

XMPP doesn't verify 'from' on some iq replies

NULL pointer dereference parsing SOAP data in MSN

NULL pointer dereference parsing OIM data in MSN

NULL pointer dereference parsing headers in MSN

Remote crash reading Yahoo! P2P message

Remote crash parsing HTTP responses

Crash when hovering pointer over a long URL

Crash handling bad XMPP timestamp

Cipher API information disclosure

  • No security advisories

XMPP remote crash

SILC remote crash

XMPP remote crash

AIM and ICQ remote crash

SILC remote crash

Pidgin uses clickable links to untrusted executables

Remote crash in MSN protocol plugin

Remote crash in IRC protocol plugin

Remote denial of service from corrupt buddy icons

Remote denial of service in Yahoo protocol plugin

2021-02-14

Yahoo! remote crash from incorrect character encoding

MSN direct connection denial of service

Multiple remotely-triggered denials of service

ICQ X-Status denial of service

MSN emoticon denial of service

Smiley denial of service

Finch XMPP MUC crash

MSN malformed SLP message crash

MSN file download vulnerability

2021-02-11

NSS TLS/SSL Certificates not validated

Remote UPnP discovery DoS

MSN Remote file transfer filename DoS

MSN malformed SLP message overflow

NULL pointer dereference in parsing invalid HTML

MSN Remote "Nudge" DoS

Gadu-Gadu memory alignment bug

AIM/ICQ away message buffer overflow

AIM/ICQ non-UTF-8 filename crash

MSN Remote DoS

Remote Yahoo! crash

MSN Remote DoS

Remote crash on some protocols

Jabber remote crash

Remote DoS on receiving certain messages over IRC

Remote DoS on receiving malformed HTML

Remote DoS on receiving malformed HTML

AIM/ICQ remote denial of service

Remote DoS on receiving malformed HTML

MSN SLP buffer overflow

2020-01-18

MSN SLP DOS (malloc error)

  • No security advisories

MSN File transfer DOS (malloc error)

  • No security advisories

Content-length DOS (malloc error)

  • No security advisories

Out-of-bounds write when stripping xml

Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability

RTF message buffer overflow

Local hostname resolution buffer overflow

URL decode buffer overflow

Groupware message receive integer overflow

MSN strncpy buffer overflow

2004-08-22

Smiley theme installation lack of escaping

Looking to reach us via XMPP? Check out the new PidginChat service!