CVE-2009-2694

Name	CVE-2009-2694
Description	The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1870-1
Debian Bugs	542486

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
pidgin (PTS)	bullseye	2.14.1-1	fixed
	bookworm	2.14.12-1	fixed
	sid, trixie	2.14.13-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
gaim	source	lenny	(not affected)
gaim	source	(unstable)	(unfixed)
pidgin	source	lenny	2.4.3-4lenny3		DSA-1870-1
pidgin	source	(unstable)	2.5.9-1	medium		542486

[lenny] - gaim <not-affected> (Only a transitional package)