http://repos.archlinux.org/wsvn/packages/pidgin/trunk/oscar_xstatus_remote_crash_fix_2_for_pidgin_2.7.1.diff
This is fixed in pidgin-2.7.2. Arch teams, please, stabilize.
Commit by markdoliner@pidgin.im on im.pidgin.pidgin.2.7.2 :: "Problem #1 (the remotely-triggerable crash): The crash happens when a buddy sets an xstatus message containing <desc> but no closing </desc>, or <title> but no closing </title>. The fix is to check the result of strstr(closing_tag_name) and do nothing if it is NULL. This is CVE-2010-2528."
x86 stable
Stable on alpha.
amd64 stable
alpha/ia64/sparc stable
Stable for HPPA.
Stable for PPC.
ppc64 done
CVE-2010-2528 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2528): The clientautoresp function in family_icbm.c in the oscar protocol plugin in libpurple in Pidgin before 2.7.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via an X-Status message that lacks the expected end tag for a (1) desc or (2) title element.
GLSA Vote: Yes, DoS in popular client software.
Vote: NO, DOS in client app only.
Client crash is hardly a security issue so GLSA Vote: no -> Closing. Feel free to reopen if you disagree.