Multiple remotely-triggerable crashes in libpurple

John Bailey rekkanoryo at
Tue Oct 12 22:49:21 EDT 2010

On 10/11/2010 11:43 AM, Jan Lieskovsky wrote:
>   Please use CVE-2010-3711 to reference these flaws in your advisory.

Thank you!  I plan to draft a smaller summary of the original disclosure I
posted here for use on our website.  I'll post it here once I have drafted it.

>   Are there any reproducer / proof of concept files, which could be used
> for
> patch work verification and updated packages testing purposes?
>   If they are available, would you be willing to privately [1] share
> them with us?
> [1]

I, unfortunately, did not test the patch.  I have not been involved much with
our development lately due to my regular job.  This is an excellent question for
Daniel.  The nature of some of these crashes seems to be something that could be
more easily triggered with a specially designed PoC executable that can
intentionally send malformed information than with a file to transfer, though.

>   Also wondering about other vendors notification, do you have a plan to
> post
> a short note regarding the issues to the vendor-sec channel?
>   Providing basic issue details (i.e. multiple NULL pointer dereference
> flaws
> leading to pidgin DoS, mentioning CVE id and preliminary / proposed
> embargo date,
> together with patch should be enough as post there).
>   Alternatively, we can send a short note regarding the issues to the
> vendor-sec
> channel, just let us know you expect us to do so.

I've never dealt with vendor-sec.  Any assistance in that regard is quite welcome.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Packagers mailing list