Pidgin Security Advisory

TitleRemote denial of service from corrupt buddy icons
Date2011-06-23
CVE NameCVE-2011-2485
Discovered ByMark Doliner
SummaryA remote attacker could set a specially-crafted GIF image as their buddy icon that could lead to Pidgin being terminated due to excessive memory use
DescriptionIt was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Using this structure, possibly containing a huge width and height, could lead to the application being terminated due to excessive memory use.
Fixed in Revision96183796df0c
Fixed in Version2.9.0
FixChange Pidgin to look at the GError parameter in addition to the return value when calling certain gdk-pixbuf functions.

Return to Security Advisory Index