2.13.0 release with security issues

Gary Kramlich grim at pidgin.im
Wed Mar 7 01:41:46 EST 2018

Greetings Programs!

Sorry for the late update, but we will be releasing Pidgin 2.13.0 around
0300 UTC on Friday March 9th.  This release contains 5 security updates
and is being rushed out as I will be unavailable for a few weeks after
this week.

Patches with more information can be found at
https://pidgin.im/~grim/private/memorize-darkroom-confront/ with a
release tarball to be uploaded some time in the next 24 hours.  No CVE's
have been requested as of yet due both to the rush nature and what we
believe to be the low severity of these issues.

All of the pull requests for these issues can be viewed with permission
at https://bitbucket.org/pidgin/security.  If you would like permission,
please let me know your bitbucket.org username so I can add you to the

The issues are as follows:

This is a use after free, but depends on getting disconnected to trigger
so we believe that it's severity is very low.

Fixes a one byte over read, but we have not yet been able to analyze it
more.  It could be more if address sanitation isn't there to stop it.

Fixes an issue were utf8 was incorrectly truncated which could lead to
crashes as we were potentially feeding garbage into glib/gtk.  Unlikely
to be exploited over irc due to invite message limits, but could happen
in XMPP.  Our analysis says this can not lead to an RCE.

Fixes an out of bounds read that in our analysis should at worst cause a

Write of a single byte before the start of a buffer.  While
theoretically possible to RCE, requires corrupting memory with NULLs so
extremely difficult to exploit.

Also, if anyone on this list believes they should no longer be on this
list, please unsubscribe or let me know so I can remove you.  If there
is someone that should be replacing you, please let me know so I can get
them added to the list.

Finally, the current public version of the ChangeLog for the release is
as follows:

version 2.13.0 (03/08/2018):
    * Unified string comparison. (PR #186) (Arkadiy Illarionov)
    * Properlly shell escape URI's when opening them. (PR #271 Daniel
Kamil Kozar)

    * Fixed build against curses 6.0 with opaque structs set. (#16764
      (PR #268 Daniel Kamil Kozar)
    * Fixed a crash when resizing the window. (#16680 marcus) (PR #269
Daniel Kamil Kozar)

    * Fixed bashism in autotools. (#16836 lameventanas) (PR #267 Daniel
Kamil Kozar)

    * Show XEP-0066 OOB URLs in any message, not just headlines
    * Fix a user after free (#17200 debarshiray) (PR #266 Ethan Blanton)
    * Removed pipelining from BOSH connections (#17025 PR #295 Tom Li)
    * Don't try to TLS already secured BOSH connections (#17270 PR #293
Tom Li)

    * Fix "Registration timeout" on SASL auth with InspIRCd servers
      (and possibly others not based on charybdis/ratbox/ircd-seven)
    * Fix issues with plugins that modify outgoing messages
      (such as the custom PART/QUIT feature of the IRC More plugin)
    * Fix IRC buffer handling.  (#12562 PR #272 Shivaram Lingamneni)

    * Better support for dark themes. (#12572 Alyssa Rosenzweig and Gary
    * Fixed IPv6 links by not escaping []'s. (#16391 cyisfor) (PR #270
Daniel Kamil Kozar)
    * Only write buddy icons to the cache if they're not already
cached.  (PR #276 David Woodhouse)
    * Rejoin persistent chats after reconnect.  (#15687 PR #285 Christof
    * Made the WIN32 Transparency plugin work on all platforms. (#3124
PR #287 Daniel Kamil Kozar)
    * Ensure search results buttons are labeled (Backport from de2d88e575ee)
    * Fix matching unicode smilies.  (#17232 gnubfx PR #262 Daniel Kamil
    * Correctly update mute/unmute status when the remote side
mutes/unmutes us. (#17273 PR #302 David Woodhous
    * Rework the status icon blinking to not used deprecated API. 
(#17174 zelch PR #264 Daniel Kamil Kozar)

    * Fix handling of search results (#17238 David Woodhouse)


Gary Kramlich <grim at reaperworld.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20180307/9211e553/attachment.sig>

More information about the Packagers mailing list