Kaspersky Labs has disclosed a vulnerability in libpurple that if exploited could allow remote code execution.
Libpurple is a graphical IM program used in the development of several instant messaging programs, including Pidgin and Adium on the MacOS, Windows Linux and Unix platforms. This flaw can be found in Adium 18.104.22.168 and Pidgin 2.12.0 and was first reported on March 15 by a researcher going by the name Erythronium on Adium's and Pidgin's developer's forums, Kaspersky Labs' Threatpost reported.
The flaw, listed as CVE-2017-2640, has been patched in Pidgin, but Adium has not responded. According to a Pidgin advisory, the vulnerability is “An out-of-bounds write when invalid xml is sent by a malicious server.”