Comment 22 for bug 1022012

A stack-based buffer overwrite flaw was found in the way MXit protocol plug-in implementation of libPurple, the core of an instant messaging program, such as Pidgin, replaced certain custom emoticon tags with corresponding image tags by processing received RX message data, prior returning the instant message to the user interface for it's presentation to the user. A remote attacker could provide a RX message with specially-crafted emoticon tags, that when processed by the libPurple's MXit protocol plug-in by an application linked against libPurple could lead to that application crash or, potentially, arbitrary code execution with the privileges of the user running the application.

Upstream ticket (private for now):
[1] http://pidgin.im/news/security/?id=64

Patch for the problem and tarballs for v2.10.5 are available here:
[2] http://pidgin.im/~markdoliner/lkFja97sFw89/