Security response Re: Remote crash in ICQ

Warren Togami wtogami at
Mon Jun 29 13:10:13 EDT 2009

On 06/28/2009 07:56 PM, Mark Doliner wrote:
> Attached is a patch to fix the bug.  It applies cleanly to 2.5.7,
> 2.5.6, 2.5.5 and 2.5.4 (with offset).  I didn't test any older
> versions.  Only libpurple has changed, so if your Pidgin package links
> to libpurple dynamically then you really only need to rebuild
> libpurple.  Also, we've just released 2.5.8 which includes this fix
> and a few other nice bug fixes.  Source packages are at
> and changelog at
> Thanks, and sorry for the inconvenience.
> -Mark

CVE-2009-1889 has been assigned to this issue.
We are treating this as already public.

1) Anyone know a reproduce procedure?  We will need this for QA testing 
the binaries.

2) Is pidgin 1.5.x effected?  It appears to contain similar code in the 
oscar prpl, however
<darkrain42> That said, incomingim_chan4 in 1.5 pretty clearly doesn't 
actually handle packets of type '0x1a'

After the CVE is fully defined someone will need to write the page for here.

4) Who has access to add people to this list?  We need thoger at 
and jlieskov at added.

Warren Togami
wtogami at

Warren Togami
wtogami at

More information about the Packagers mailing list