[Fwd: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727]
Warren Togami
wtogami at redhat.com
Wed Aug 12 22:14:34 EDT 2009
On 08/11/2009 12:32 PM, Paul Aurich wrote:
> And Stanislav Brabec spoke on 08/11/2009 03:32 AM, saying:
>> Warren Togami wrote:
>>> On 08/10/2009 11:20 AM, Ari Pollak wrote:
>>>> Paul Aurich wrote:
>>>>> To prod this process along some more, I'm attaching a patch and debug log
>>>> So... is this going to be the official patch that goes into 2.5.9?
>>> It seems that pidgin-1.5.x is also affected. Are other distros patching
>>> that too?
>>
>> I guess you think Gaim.
>>
>> Did you already try the PoC on Gaim?
>>
>> If it is affected, I will try to backport the fix, if it will be
>> reasonably easy. However I don't think so. The new MSN code is using
>> libpurple, the old code is self-standing.
>
> gaim/pidgin1.5 uses the MSN prpl the same way it does now, and I think
> every version going back to the first one that included the relevant code
> (based on looking at the commits) would be vulnerable.
>
It seems that the distros still shipping pidgin-1.5.x might have a
different mish-mash of patches by now. Could we please collaborate and
cut a new "upstream" pidgin-1.5.2 with the common parts that we can
agree upon? It would make it easier to ship patches for security issues
like this which corrects an earlier incomplete attempt of closing
security holes.
http://people.redhat.com/wtogami/temp/.pidgin/files/
Here's all the patches against our current RHEL-3 pidgin-1.5.1.
I believe all of these patches are safe for pidgin-1.5.2. Do the other
distros have more patches that are known safe and relevant to other distros?
pidgin-1.5.2 should also remove/disable protocols known to be broken
like SILC and Yahoo. Any other protocols known broken in this old version?
Warren Togami
wtogami at redhat.com
More information about the Packagers
mailing list