From the
‘
Smiles That Crash
‘
files:
The open source pidgin instant messaging client has a new update today with version 2.7.0.
Pidgin is an important open source project in that it is included in multiple Linux distributions including Red Hat Enterprise Linux and is also available for Windows users as well.
While Pidgin is often updated for protocol and bug fixes (and there are lots in Pidgin 2.7.0), one key item on the changelog stood out to me. It’s a security fix for CVE-2010-1624 which is a custom emoticon remote crash for the MSN messenger protocol.
“A vulnerability was discovered in libpurple’s MSN protocol plugin that
can cause a denial of service (crash) due to insufficient validation of
certain SLP packets related to custom emoticons,” Pidgin’s security advisory on the issue states. “An attacker could use
this vulnerability to remotely crash a client using libpurple for MSN.”
So no, it’s not the simple 🙂 smiley face emoticon that could have triggered the vulnerability (that’s not a custom emoticon). That said, it never ceases to amaze me how seemingly harmless items (it’s an emoticon!!) can lead to security vulnerabilities.