From the Pidgin advisories:
CVE-2013-0271: The MXit protocol plugin saves an image to local disk using a filename that could potentially be partially specified by the IM server or by a remote user.
CVE-2013-0272: The code did not respect the size of the buffer when parsing HTTP headers, and a malicious server or man-in-the-middle could send specially crafted data that could overflow the buffer. This could lead to a crash or remote code execution.
CVE-2013-0273: libpurple failed to null-terminate user IDs that were longer than 4096 bytes. It's plausible that a malicious server could send one of these to us, which would lead to a crash.
CVE-2013-0274: libpurple failed to null-terminate some strings when parsing the response from a UPnP router. This could lead to a crash if a malicious user on your network responds with a specially crafted message. | 