[Fwd: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727]

Stanislav Brabec sbrabec at suse.cz
Tue Aug 11 06:32:35 EDT 2009

Warren Togami wrote:
> On 08/10/2009 11:20 AM, Ari Pollak wrote:
> > Paul Aurich wrote:
> >> To prod this process along some more, I'm attaching a patch and debug log
> >
> > So... is this going to be the official patch that goes into 2.5.9?
> It seems that pidgin-1.5.x is also affected.  Are other distros patching 
> that too?

I guess you think Gaim.

Did you already try the PoC on Gaim?

If it is affected, I will try to backport the fix, if it will be
reasonably easy. However I don't think so. The new MSN code is using
libpurple, the old code is self-standing.

Until now, we were able to backport all security and protocol change
fixes except CVE-2008-3532 and Yahoo protocol change.

We are thinking about deprecating of gaim. Gaim is still the only option
in NLD9, for SLED10 we already provide pidgin as a recommended

For example our patched Gaim still works with ICQ, but it gets a spam
each 2-3 minutes.

Best Regards / S pozdravem,

Stanislav Brabec
software developer
SUSE LINUX, s. r. o.                          e-mail: sbrabec at suse.cz
Lihovarská 1060/12           tel: +420 284 028 966, +49 911 740538747
190 00 Praha 9                                  fax: +420 284 028 951
Czech Republic                                    http://www.suse.cz/

More information about the Packagers mailing list