Possible libpurple vulnerability in multiple prpls

Elliott Sales de Andrade qulogic at pidgin.im
Sat Aug 15 17:58:36 EDT 2009


On Sat, Aug 15, 2009 at 5:30 PM, John Bailey <rekkanoryo at rekkanoryo.org>wrote:

> Mark Doliner wrote:
> > In the past I think we have not gotten CVE numbers for things that
> > require the user to accept a request.  So my vote is no.  But maybe
> > you should hold off on committing the change until Tuesday the 18th,
> > and maybe email us a diff of your fix?
> >
> > -Mark
>
> If we could have the patch here ASAP, that would be great.  With a patch to
> commit, I could kill the 2.5.9 tag while it's still local to my database
> only
> and retag with the patch included (and also generate new tarballs).
>

I've attached the patch for MSN, XMPP and Bonjour. I do not know about other
prpls. It's a one-line fix to MSN, so if it doesn't apply to 2.5.8 cleanly,
it's easy to copy in. Sorry, I'm in a rush, so I can't pull a diff out of
2.5.8 right now.

John
>
> _______________________________________________
> Packagers mailing list
> Packagers at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/packagers
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090815/4ef29a7d/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple-jabber-bonjour-msn-ft.diff
Type: application/octet-stream
Size: 2297 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090815/4ef29a7d/attachment-0001.obj>


More information about the Packagers mailing list