Pidgin 2.8.0: MSN, No QQ...

[Paul Aurich]

Hi folks!

2.8.0 is nearing release, and we have two notes for you.

1) We've removed the QQ plugin.  It didn't work, hasn't for a while, and
there hasn't been any significant activity from the developers.  Another
plugin [1] exists, which seems promising (based on the thread on the Pidgin
development list, it at least works).  We don't currently have a stub
plugin to notify users about the removal, but we will probably add one (if
not in this release, then for 2.8.1).

2) We have a remote crashing (NULL deref) bug in the MSN protocol plugin,
for which we probably need a CVE#.  Our resident MSN expert, Elliott,
believes it's not exploitable by another user, although a malicious entity
MITMing a Pidgin user could crash Pidgin.  I've attached the proposed patch
from Mark Doliner.

Prerelease tarballs will be provided, but I think a reasonable target for
release is Sunday or Monday.  Please consider the security issue embargoed
until release.

Thanks!
~Paul

[1] https://code.google.com/p/libqq-pidgin/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: msn-httpconn-null-deref.patch
Type: text/x-patch
Size: 1259 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110511/d36bb7bf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110511/d36bb7bf/attachment.pgp>