Crash in Pidgin and Adium on XMPP MUC Presence

Elliott Sales de Andrade qulogic at pidgin.im
Sat Feb 25 16:32:18 EST 2012 

On Fri, Feb 24, 2012 at 3:33 AM, Mark Doliner <mark at kingant.net> wrote:

> On Thu, Feb 23, 2012 at 1:20 AM, Elliott Sales de Andrade
> <qulogic at pidgin.im> wrote:
> > On Mon, Feb 6, 2012 at 6:18 PM, Elliott Sales de Andrade <
> qulogic at pidgin.im>
> > wrote:
> >>
> >> I'm debating whether to also include:
> >> http://developer.pidgin.im/ticket/14302 - "MSN offline messages are not
> >> sent, there is no notification in the chat window"
> >>
> >> The only way to fix it appears to be an update to MSNP18, which turns
> out
> >> to be relatively simple, but such a change may or may not be
> problematic.
> >
> > In case no-one has noticed, I have plucked these changes as well.
>
> Oh awesome.  I had not noticed--thanks.
>
> > Any idea when we might be getting 2.10.2 out?
>
> Here's the info I have so far:
>
> - Needs work? Crash in Pidgin and Adium on XMPP MUC Presence.  Kevin
> Stange reported this to this list on February 6th.  We think this was
> inadvertently fixed in im.pidgin.pidgin, but has not been fixed in
> im.pidgin.pidgin.2.x.y (right?).  This is not public.  I'll request a
> CVE from the packagers mailing list once we have a patch.  We should
> set an embargo date and hold off on committing the patch until the
> embargo date (and release 2.10.2 on the same day).
>
> Elliott had suggested, "the check for if(!old_cbuddy) could be moved
> up in pidgin_conv_chat_rename_user() to before attempting to complete
> the rename."  If we're happy with that solution then we're good.  I
> can commit that and push it on the embargo date.
>
>
FYI, this is in fact what's done in #14392 below.


> - Needs work: Pidgin crashes upon Nick change in SILC channel
> (http://developer.pidgin.im/ticket/14864).  This is not yet fixed.
> This is public.  I'm not aware of a CVE.  I'll request one from
> oss-security at lists.openwall.com a few days before releasing.
>
>
I recall someone discussing a change to purple_conv_chat_rename_user. Was
that not ever implemented, or is it not related here at all?


> - GTK+ in Windows crashes on non-BMP UTF-8 charpoints
> (https://bugzilla.gnome.org/show_bug.cgi?id=668154).  Is there
> anything we can do about this?  It sounds like it might be fixed in
> new GTK... maybe we just need to bundle the new version?
>
> - Done... not sure if it's worth mentioning to packagers or requesting
> a CVE: A fix for this is in the 2.x.y branch, but I can't tell if this
> is a remote crasher: http://developer.pidgin.im/ticket/14392
>
>
See above.


> - Done: Fix possible crashes caused by not validating incoming MSN
> messages as UTF-8 (http://developer.pidgin.im/ticket/14884).  This is
> fixed.  This is public.  I'm not aware of a CVE.  I'll request one
> from oss-security at lists.openwall.com a few days before releasing.
>

I wasn't sure if this would still occur, given the recent change to the
sending of OIMs. Interestingly, even if you send an OIM with some other
encoding, the OIM server tells your buddy the text is in UTF-8, without
actually re-encoding anything. Don't know if it would also affect the
official client too.

-- 
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120225/80d7595e/attachment.html>

More information about the security mailing list