Inadvertent public disclosure of remote crasher

Ethan Blanton elb at
Thu Sep 29 22:45:14 EDT 2011

Hi all,

There has been a public disclosure, along with enough information to
reproduce, of a remote crasher in our SILC plugin:

I believe I have introduced a correct fix for this bug to the monotone
repository as 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8.  I have
attached it to this email.

You may wish to release patched packages at your convenience.  As this
bug was publicly disclosed before the fix was available, there is no
embargo.  We will be requesting a CVE as soon as we gather the
appropriate information from the discoverer.  I do not know what the
current schedule is for 2.10.1, but we will keep you posted.

Apologies for the mad scramble, I will be discussing appropriate
disclosure techniques with the reporter.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin-2.10.0-silc_remote_crash_fix.diff
Type: text/x-diff
Size: 759 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <>

More information about the Packagers mailing list