This article is more than 1 year old
Emoticons blast three security holes in Pidgin :-(
Dump docs on users' disks using only ASCII art (°O°)
Cisco researchers have reported a trio of vulnerabilities in popular instant messaging client Pidgin that allow for denial of service by way of emoticon abuse and remote arbitrary file creation.
Researchers Yves Younan and Richard Johnson say the flaws have since been quietly patched, but rated a maximum CVSS score of 6.4 but were easily and remotely exploitable.
The first reported flaw (CVE-2014-3697) affected the way Pidgin accessed smileys and themes as tar packages on Windows systems.
Linux systems are safe since they use the un-tar utility while Windows Pidgin uses included code that permits absolute paths to be specified in tar files allowing attackers to overwrite files accessible by the user.
The second vulnerability (CVE-2014-3696) existed in the handling of libpurple's Novell Groupwise meaning attackers with control of Novell protocol message contents could trigger an out of memory exception by specifying an overly large size value for a memory allocation operation.
Younan said this attack could see remote servers issue a crafted message to trigger an out of memory exception that kills Pidgin.
The third flaw, (CVE-2014-3697) could see attackers craft emoticons that when downloaded cause the Pidgin clients wielded by lovers of smilies to crash under denial of service.
Emoti-con artists would need to need to spoof messages from the mxit.com domain to exploit the hole, however.
The smiley, frowning and fawning faces had in 2012 allowed attackers to trigger buffer overflows and arbitrary code execution.
Since then the client appeared to have clean up enough to only just fail the Electronic Frontier Foundation's recent security instant message offering audit. ®