security review and patches for libpurple

Jacob Appelbaum jacob at appelbaum.net
Tue Jul 19 00:46:01 EDT 2011


On a related topic - I'd like to share a bit of insider knowledge from
the bug hunting community. I've just recently finished a nine day REcon
stint and I wasn't too happy with what I heard about pidgin.
Specifically, I've heard that people are trying to sell pidgin 0day but
they're not finding any ethical buyers; that is to say that ZDI doesn't
buy pidgin bugs and work to get them fixed. Meanwhile, I've directly
seen that some of the digital arms dealing companies are making offers
for pidgin/libpurple bugs. I assume that libxml2 bugs via pidgin are
valid "pidgin bugs" in the arms dealing world.

I really think that a strong pidgin/libpurple security push is needed -
something much larger than what a few developers might be able to
accomplish on their own.

All the best,
Jacob


More information about the security mailing list