Crash in Pidgin and Adium on XMPP MUC Presence

Mark Doliner mark at kingant.net
Fri Feb 24 03:33:33 EST 2012 

On Thu, Feb 23, 2012 at 1:20 AM, Elliott Sales de Andrade
<qulogic at pidgin.im> wrote:
> On Mon, Feb 6, 2012 at 6:18 PM, Elliott Sales de Andrade <qulogic at pidgin.im>
> wrote:
>>
>> I'm debating whether to also include:
>> http://developer.pidgin.im/ticket/14302 - "MSN offline messages are not
>> sent, there is no notification in the chat window"
>>
>> The only way to fix it appears to be an update to MSNP18, which turns out
>> to be relatively simple, but such a change may or may not be problematic.
>
> In case no-one has noticed, I have plucked these changes as well.

Oh awesome.  I had not noticed--thanks.

> Any idea when we might be getting 2.10.2 out?

Here's the info I have so far:

- Needs work? Crash in Pidgin and Adium on XMPP MUC Presence.  Kevin
Stange reported this to this list on February 6th.  We think this was
inadvertently fixed in im.pidgin.pidgin, but has not been fixed in
im.pidgin.pidgin.2.x.y (right?).  This is not public.  I'll request a
CVE from the packagers mailing list once we have a patch.  We should
set an embargo date and hold off on committing the patch until the
embargo date (and release 2.10.2 on the same day).

Elliott had suggested, "the check for if(!old_cbuddy) could be moved
up in pidgin_conv_chat_rename_user() to before attempting to complete
the rename."  If we're happy with that solution then we're good.  I
can commit that and push it on the embargo date.

- Needs work: Pidgin crashes upon Nick change in SILC channel
(http://developer.pidgin.im/ticket/14864).  This is not yet fixed.
This is public.  I'm not aware of a CVE.  I'll request one from
oss-security at lists.openwall.com a few days before releasing.

- GTK+ in Windows crashes on non-BMP UTF-8 charpoints
(https://bugzilla.gnome.org/show_bug.cgi?id=668154).  Is there
anything we can do about this?  It sounds like it might be fixed in
new GTK... maybe we just need to bundle the new version?

- Done... not sure if it's worth mentioning to packagers or requesting
a CVE: A fix for this is in the 2.x.y branch, but I can't tell if this
is a remote crasher: http://developer.pidgin.im/ticket/14392

- Done: Fix possible crashes caused by not validating incoming MSN
messages as UTF-8 (http://developer.pidgin.im/ticket/14884).  This is
fixed.  This is public.  I'm not aware of a CVE.  I'll request one
from oss-security at lists.openwall.com a few days before releasing.

More information about the security mailing list