Pidgin 2.8.0: MSN, No QQ...

Paul Aurich darkrain42 at
Fri May 13 09:35:01 EDT 2011

And Jan Lieskovsky spoke on 05/12/2011 08:53 AM, saying:
> This does not sound like a security flaw. If the attacker can MITM a pidgin
> user, they could insert / modify all their data.
> Why Pidgin upstream thinks this should be considered a security issue?

I think we were on the fence about whether it should be or not.

> Having read your above description, would formulate the problem as:
> A NULL pointer deference flaw was found in the way Pidgin MSN protocol handler
> processed user session identifier data from a HTTP connection. A remote
> attacker could use this flaw to spoof the Pidgin client and conduct
> man-in-the-middle (MITM) attacks via specially-crafted user session
> identifier,
> leading to Pidgin crash.
> But if the above paragraph is correct, this would not be considered to
> be a security issue (if the attacker can MITM / insert crafted
> 'full_session_id'
> they can modify everything).

This write-up looks accurate based on my understanding of the issue, so it
sounds like we shouldn't be considering it a security flaw.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Packagers mailing list