[Fwd: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727]

Paul Aurich paul at darkrain42.org
Tue Aug 11 12:32:40 EDT 2009


And Stanislav Brabec spoke on 08/11/2009 03:32 AM, saying:
> Warren Togami wrote:
>> On 08/10/2009 11:20 AM, Ari Pollak wrote:
>>> Paul Aurich wrote:
>>>> To prod this process along some more, I'm attaching a patch and debug log
>>> So... is this going to be the official patch that goes into 2.5.9?
>> It seems that pidgin-1.5.x is also affected.  Are other distros patching 
>> that too?
> 
> I guess you think Gaim.
> 
> Did you already try the PoC on Gaim?
> 
> If it is affected, I will try to backport the fix, if it will be
> reasonably easy. However I don't think so. The new MSN code is using
> libpurple, the old code is self-standing.

gaim/pidgin1.5 uses the MSN prpl the same way it does now, and I think
every version going back to the first one that included the relevant code
(based on looking at the commits) would be vulnerable.

My "patch" should apply to it just fine, though you'll need to make the
change in the appropriate file, since paths have changed.

~Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090811/b989190c/attachment.pgp>


More information about the Packagers mailing list