Pidgin Security Advisories

This page lists all potential security vulnerabilities discovered since August 1st, 2004 in Pidgin (or Gaim), Finch, libpurple, or any official plugins included with those programs.

Title	CVE Name	Date	Fixed In
Potential information leak from XMPP	CVE-2014-3698	2014-10-22	2.10.10
Malicious smiley themes could alter arbitrary files	CVE-2014-3697	2014-10-22	2.10.10
Remote crash parsing malformed Groupwise message	CVE-2014-3696	2014-10-22	2.10.10
Remote crash parsing malformed MXit emoticon	CVE-2014-3695	2014-10-22	2.10.10
Insufficient SSL certificate validation	CVE-2014-3694	2014-10-22	2.10.10
Remotely triggerable crash in IRC argument parsing	CVE-2014-0020	2014-01-28	2.10.8
Buffer overflow in SIMPLE header parsing	CVE-2013-6490	2014-01-28	2.10.8
Buffer overflow in MXit emoticon parsing	CVE-2013-6489	2014-01-28	2.10.8
Buffer overflow in Gadu-Gadu HTTP parsing	CVE-2013-6487	2014-01-28	2.10.8
Pidgin uses clickable links to untrusted executables	CVE-2013-6486	2014-01-28	2.10.8
Buffer overflow parsing chunked HTTP responses	CVE-2013-6485	2014-01-28	2.10.8
Crash reading response from STUN server	CVE-2013-6484	2014-01-28	2.10.8
XMPP doesn't verify 'from' on some iq replies	CVE-2013-6483	2014-01-28	2.10.8
NULL pointer dereference parsing SOAP data in MSN	CVE-2013-6482	2014-01-28	2.10.8
NULL pointer dereference parsing OIM data in MSN	CVE-2013-6482	2014-01-28	2.10.8
NULL pointer dereference parsing headers in MSN	CVE-2013-6482	2014-01-28	2.10.8
Remote crash reading Yahoo! P2P message	CVE-2013-6481	2014-01-28	2.10.8
Remote crash parsing HTTP responses	CVE-2013-6479	2014-01-28	2.10.8
Crash when hovering pointer over a long URL	CVE-2013-6478	2014-01-28	2.10.8
Crash handling bad XMPP timestamp	CVE-2013-6477	2014-01-28	2.10.8
Yahoo! remote crash from incorrect character encoding	CVE-2012-6152	2014-01-28	2.10.8
Windows Pidgin crash receiving some characters	N/A	2014-01-28	2.10.8
Crash when receiving a UPnP response with abnormally long values	CVE-2013-0274	2013-02-13	2.10.7
Sametime crash with long user IDs	CVE-2013-0273	2013-02-13	2.10.7
MXit buffer overflow reading data from network	CVE-2013-0272	2013-02-13	2.10.7
Remote MXit user could specify local file path	CVE-2013-0271	2013-02-13	2.10.7
MXit buffer overflow	CVE-2012-3374	2012-07-05	2.10.5
Possible MSN remote crash	CVE-2012-2318	2012-05-06	2.10.4
XMPP remote crash	CVE-2012-2214	2012-05-06	2.10.4
Possible MSN remote crash	CVE-2012-1178	2012-01-17	2.10.2
XMPP remote crash	CVE-2011-4939	2011-07-08	2.10.2
SILC remote crash	CVE-2011-4603	2011-09-29	2.10.1
XMPP remote crash	CVE-2011-4602	2011-12-10	2.10.1
AIM and ICQ remote crash	CVE-2011-4601	2011-10-20	2.10.1
SILC remote crash	CVE-2011-3594	2011-09-29	2.10.1
Pidgin uses clickable links to untrusted executables	CVE-2011-3185	2011-08-20	2.10.0
Remote crash in MSN protocol plugin	CVE-2011-3184	2011-08-20	2.10.0
Remote crash in IRC protocol plugin	CVE-2011-2943	2011-08-20	2.10.0
Remote denial of service from corrupt buddy icons	CVE-2011-2485	2011-06-23	2.9.0
Remote denial of service in Yahoo protocol plugin	CVE-2011-1091	2011-03-10	2.7.11
Cipher API information disclosure	N/A	2011-02-06	2.7.10
MSN direct connection denial of service	CVE-2010-4528	2010-12-26	2.7.9
purple_base64_decode() remote crashes	CVE-2010-3711	2010-10-20	2.7.4
ICQ X-Status denial of service	CVE-2010-2528	2010-07-21	2.7.2
MSN emoticon denial of service	CVE-2010-1624	2010-05-12	2.7.0
Smiley denial of service	CVE-2010-0423	2010-02-18	2.6.6
Finch XMPP MUC crash	CVE-2010-0420	2010-02-18	2.6.6
MSN malformed SLP message crash	CVE-2010-0277	2010-02-18	2.6.6
MSN file download vulnerability	CVE-2010-0013	2010-01-08	2.6.5
ICQ and maybe AIM remote crash	CVE-2009-3615	2009-10-16	2.6.3
IRC crash from malicious server	CVE-2009-2703	2009-09-03	2.6.2

Older