Advisories

This page lists all potential security vulnerabilities discovered since August 1st, 2004 in Pidgin (or Gaim), Finch, libpurple, or any official plugins included with those programs.

2022-04-28

MITM when used without DNSSEC

2017-03-09

Out-of-bounds write when stripping xml

2016-06-21

Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability

Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability

Pidgin MXIT get_utf8_string Code Execution Vulnerability

Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability

Pidgin MXIT read stage 0x3 Code Execution Vulnerability

Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability

Pidgin MXIT MultiMX Message Code Execution Vulnerability

Pidgin MXIT Contact Mood Denial of Service Vulnerability

Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability

Pidgin MXIT Extended Profiles Code Execution Vulnerability

Pidgin MXIT Custom Resource Denial of Service Vulnerability

Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability

Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities

Pidgin MXIT Avatar Length Memory Disclosure Vulnerability

Pidgin MXIT Table Command Denial of Service Vulnerability

Pidgin MXIT Markup Command Denial of Service Vulnerability

X.509 Certificates Improperly Imported

2014-10-22

Potential information leak from XMPP

Malicious smiley themes could alter arbitrary files

Remote crash parsing malformed Groupwise message

Remote crash parsing malformed MXit emoticon

Insufficient SSL certificate validation

2014-01-28

Remotely triggerable crash in IRC argument parsing

Buffer overflow in MXit emoticon parsing

Buffer overflow in Gadu-Gadu HTTP parsing

Pidgin uses clickable links to untrusted executables

Buffer overflow parsing chunked HTTP responses

Crash reading response from STUN server

XMPP doesn't verify 'from' on some iq replies

NULL pointer dereference parsing SOAP data in MSN

NULL pointer dereference parsing OIM data in MSN

NULL pointer dereference parsing headers in MSN

Remote crash reading Yahoo! P2P message

Remote crash parsing HTTP responses

Crash when hovering pointer over a long URL

Crash handling bad XMPP timestamp

2012-01-28

Yahoo! remote crash from incorrect character encoding

2011-12-10

XMPP remote crash

2011-10-20

AIM and ICQ remote crash

2011-09-29

SILC remote crash

SILC remote crash

2011-08-20

Pidgin uses clickable links to untrusted executables

Remote crash in MSN protocol plugin

Remote crash in IRC protocol plugin

2011-07-08

XMPP remote crash

2011-06-23

Remote denial of service from corrupt buddy icons

2011-03-10

Remote denial of service in Yahoo protocol plugin

2011-02-06

Cipher API information disclosure

  • No security advisories

2010-12-26

MSN direct connection denial of service

2010-10-20

Multiple remotely-triggered denials of service

2010-07-21

ICQ X-Status denial of service

2010-05-12

MSN emoticon denial of service

2010-02-18

Smiley denial of service

Finch XMPP MUC crash

MSN malformed SLP message crash

2010-01-08

MSN file download vulnerability

2009-10-16

ICQ and maybe AIM remote crash

2009-09-03

XMPP custom smiley parsing bug

MSN handwritten message crash

MSN partial SLP invite crash

XMPP may not enforce TLS

IRC crash from malicious server

2009-08-22

Yahoo IM parsing crash

2009-08-18

MSN overflow parsing SLP messages

2009-05-28

ICQ parser excessive memory allocation

2009-05-03

QQ remote DoS

2009-05-02

MSN malformed SLP message overflow

XMPP file transfer buffer overflow

2009-03-20

Remote DoS in multiple protocols

2008-07-25

NSS TLS/SSL Certificates not validated

2008-07-01

MSN malformed SLP message overflow

2008-06-25

MSN Remote file transfer filename DoS

2008-05-11

Remote UPnP discovery DoS

2007-10-24

NULL pointer dereference in parsing invalid HTML

2007-09-27

MSN Remote "Nudge" DoS

2005-08-11

Gadu-Gadu memory alignment bug

AIM/ICQ away message buffer overflow

AIM/ICQ non-UTF-8 filename crash

2005-06-10

MSN Remote DoS

Remote Yahoo! crash

2005-05-10

MSN Remote DoS

Remote crash on some protocols

2005-04-04

Jabber remote crash

2005-04-02

Remote DoS on receiving certain messages over IRC

Remote DoS on receiving malformed HTML

2005-02-24

Remote DoS on receiving malformed HTML

2005-02-17

Remote DoS on receiving malformed HTML

AIM/ICQ remote denial of service

2004-10-19

MSN SLP DOS (malloc error)

  • No security advisories

MSN File transfer DOS (malloc error)

  • No security advisories

MSN SLP buffer overflow

2004-08-26

Content-length DOS (malloc error)

  • No security advisories

RTF message buffer overflow

Local hostname resolution buffer overflow

URL decode buffer overflow

Groupware message receive integer overflow

2004-08-22

Smiley theme installation lack of escaping

MSN strncpy buffer overflow

Looking to reach us via XMPP? Check out the new PidginChat service!