Remote crash in ICQ

Mark Doliner mark at
Sun Jun 28 23:19:52 EDT 2009

On Sun, Jun 28, 2009 at 5:01 PM, Warren Togami<wtogami at> wrote:
> On 06/28/2009 07:56 PM, Mark Doliner wrote:
>> Oh, and I suspect there is probably no chance of remote code
>> execution.  The data that triggers the crash comes from the ICQ
>> servers, and I believe is limited to a fairly short length.  It's also
>> probably filtered quite a bit.
>> Attached is a patch to fix the bug.  It applies cleanly to 2.5.7,
>> 2.5.6, 2.5.5 and 2.5.4 (with offset).  I didn't test any older
>> versions.  Only libpurple has changed, so if your Pidgin package links
>> to libpurple dynamically then you really only need to rebuild
>> libpurple.  Also, we've just released 2.5.8 which includes this fix
>> and a few other nice bug fixes.  Source packages are at
>> and changelog at
>> Thanks, and sorry for the inconvenience.
>> -Mark
> We still have pidgin-1.5.x in RHEL-3.  Is that affected by this?

I suspect that it is affected, but I haven't checked.


More information about the Packagers mailing list