gtkutils.c in Pidgin before 2.10.0 on Windows allows user-assisted remote attackers to execute arbitrary programs via a file: URL in a message.
Pidgin before 2.10.0 on Windows
Pidgin bugs let remote users deny service and potentially execute arbitrary code.
Several vulnerabilities were reported in Pidgin. A remote user can cause denial of service conditions. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can send specially crafted nickname characters in response to a WHO request to trigger a null pointer dereference in the IRC protocol plugin and cause the target user's client to crash [CVE-2011-2943]. A remote user can send specially crafted HTTP 100 responses to trigger a memory access error in the MSN protocol plugin and cause the target user's client to crash. Only users with the HTTP connection method enabled [not the default setting] are affected.A remote user can create a specially crafted file:// URI that, when loaded by the target user, will execute the specified file. James Burton, Insomnia Security, reported this vulnerability.
Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service.
Pidgin has issued a fix (2.10.0).