CVE-2009-3085

Publication date 8 September 2009

Last updated 24 July 2024

The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not properly handle an error IQ stanza during an attempted fetch of a custom smiley, which allows remote attackers to cause a denial of service (application crash) via XHTML-IM content with cid: images.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
pidgin	9.10 karmic	Not affected
	9.04 jaunty	Fixed 1:2.5.5-1ubuntu8.5
	8.10 intrepid	Fixed 1:2.5.2-0ubuntu1.6
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not in release

How can I get the fixes?
What do statuses mean?
Patch details

Notes

mdeslaur

code in hardy is different

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
pidgin	Upstream: http://developer.pidgin.im/viewmtn/revision/info/fd5955618eddcd84d522b30ff11102f9601f38c8

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-886-1
Pidgin vulnerabilities
18 January 2010

Other references

http://www.pidgin.im/news/security/index.php?id=37
https://www.cve.org/CVERecord?id=CVE-2009-3085