security review and patches for libpurple

Dan Auerbach dtauerbach at
Wed Jun 29 20:21:02 EDT 2011

Hi Pidgin Security Team,

We at the Electronic Frontier Foundation are dedicated to ensuring 
people have the ability to engage in private and secure communication. 
As we believe the open source suite of tools based on libpurple can and 
should be used for this purpose (most securely via the Off-The-Record 
Messaging protocol), we think it is vital to ensure that the software is 
secure and safe from attack. As such, we hope to begin to partner with 
you in doing an audit of security vulnerabilities surrounding libpurple 
and dependent libraries, and providing patches. In this introductory 
email, we have included some simple initial changes that we believe are 
in keeping with best practices, as well as some changes that close 
potential vulnerabilities. In the coming couple of months, we hope to do 
a thorough audit, and plan to stay communicative about vulnerabilities, 
offering patches where we are able to do so. Our goal is to work with 
you, so please let us know the preferred way to interface with your team 
for disclosing and patching these vulnerabilities beyond the security 
vulnerability disclosure page.

Attached is a document outlining and summarizing suggested changes, 
along with the patches we provide. I have also attached a tar.bz2 of 
diffs, generated using "mtn diff", and a build log. Please see the 
document for the information requested in

We would also like to thank Jake Appelbaum (cc'ed) for this help with 
the review process; we hope to collaborate with him for future steps of 
this review.

Dan and Chris, Electronic Frontier Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: build.tar.bz2
Type: application/x-bzip
Size: 14 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple_init.tar.bz2
Type: application/x-bzip
Size: 9742 bytes
Desc: not available
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple-notes-initialreview.odt
Type: application/vnd.oasis.opendocument.text
Size: 42764 bytes
Desc: not available
URL: <>

More information about the security mailing list