cve-2011-2485-00

Summary Remote denial of service from corrupt buddy icons
Date 2011-06-23
CVE Number CVE-2011-2485
Discovered By Mark Doliner
Fixed In Release 2.9.0

Description

It was found that the gdk-pixbuf GIF image loader routine gdk_pixbuf__gif_image_load() did not properly handle certain return values from its subroutines. A remote attacker could provide a specially-crafted GIF image, which, once opened in Pidgin, would lead gdk-pixbuf to return a partially initialized pixbuf structure. Using this structure, possibly containing a huge width and height, could lead to the application being terminated due to excessive memory use.

Mitigation

Change Pidgin to look at the GError parameter in addition to the return value when calling certain gdk-pixbuf functions.

Looking to reach us via XMPP? Check out the new PidginChat service!