Security response Re: Remote crash in ICQ

Mark Doliner mark at
Mon Jun 29 14:52:32 EDT 2009

On Mon, Jun 29, 2009 at 10:10 AM, Warren Togami<wtogami at> wrote:
> On 06/28/2009 07:56 PM, Mark Doliner wrote:
>> Attached is a patch to fix the bug.  It applies cleanly to 2.5.7,
>> 2.5.6, 2.5.5 and 2.5.4 (with offset).  I didn't test any older
>> versions.  Only libpurple has changed, so if your Pidgin package links
>> to libpurple dynamically then you really only need to rebuild
>> libpurple.  Also, we've just released 2.5.8 which includes this fix
>> and a few other nice bug fixes.  Source packages are at
>> and changelog at
>> Thanks, and sorry for the inconvenience.
>> -Mark
> CVE-2009-1889 has been assigned to this issue.
> We are treating this as already public.
> 1) Anyone know a reproduce procedure?  We will need this for QA testing the
> binaries.

I was thinking there was a form on that people
could use to send the message, but the only things I've been able to
find are and , and neither of them trigger the crash.

> 4) Who has access to add people to this list?  We need thoger at and
> jlieskov at added.



More information about the Packagers mailing list