IRC remote crasher and patch

Ethan Blanton elb at
Sat Jul 16 17:28:34 EDT 2011

Hi all,

The information in this email is security sensitive, and is not to be
revealed until 2.9.1 is released.  Please keep it under wraps for the
time being.

An IRC remote crasher snuck into 2.8.0 along with all the other IRC
WHO brokenness.  It enables either 1) a malicious server, or 2) a
malicious user on a server with less-than-strict nick checking to
crash Pidgin users with certain encoding configurations.  It is a
crasher only (as best I can tell), and is not exploitable.

This bug is not unknown, but as a fix has not yet made it into
a release and the precise reason for the crash has not been publically
identified, I am asking that it be kept quiet.  Our bug is:

I believe there is an Adium bug for this issue, as well.  (It has
quite possibly been around for a long time; this broken WHO code went
into Adium's libpurple long before ours, as I understand it.)

I assume we need a CVE number for this; since it's not exactly an
undisclosed bug, I'm not sure if anyone on this list can issue it.  If
not, please let me know how we go about getting one.  (Maybe another
Pidgin dev knows?)

A patch to fix this problem is attached.  It will be included in 2.9.1
when it is released, which will hopefully not be too far off.  At that
time, vendors should feel free to apply the attached patch to their

-------------- next part --------------
A non-text attachment was scrubbed...
Name: irc_who_fix.diff
Type: text/x-diff
Size: 2663 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <>

More information about the Packagers mailing list