"A bug in the libpurple library, used by Pidgin and other IM clients
such as Adium and Meebo, that could lead Pidgin to crash on some
operating systems has been fixed. According to the developers, the
problem concerned certain characters in IRC user nicknames that could
lead to a null pointer problem in the IRC protocol plugin. Clients based
on version 2.8.0 through 2.9.0 libpurple are affected.
The update also fixes a problem in the MSN protocol plugin that could
cause the application to try to access memory that it should not. The
developers note that the vulnerability only affects users that enable
the HTTP connection method, which is disabled by default, and that they
'believe remote code execution is not possible'.
In the Windows builds, when users click on a file:// URI received in an
IM, previous versions of Pidgin would attempt to execute the file. This
could be dangerous if, for example, it led to a malicious file on a
network share. Instead, the new version now opens a file browser at the
Please respond back to this ticket if you found this security alert helpful.