Crash in Pidgin and Adium on XMPP MUC Presence

Elliott Sales de Andrade qulogic at pidgin.im
Sat Feb 25 16:34:21 EST 2012 

On Sat, Feb 25, 2012 at 4:32 PM, Elliott Sales de Andrade <qulogic at pidgin.im
> wrote:

> On Fri, Feb 24, 2012 at 3:33 AM, Mark Doliner <mark at kingant.net> wrote:
>
>> On Thu, Feb 23, 2012 at 1:20 AM, Elliott Sales de Andrade
>> <qulogic at pidgin.im> wrote:
>> > On Mon, Feb 6, 2012 at 6:18 PM, Elliott Sales de Andrade <
>> qulogic at pidgin.im>
>> > wrote:
>> >>
>> >> I'm debating whether to also include:
>> >> http://developer.pidgin.im/ticket/14302 - "MSN offline messages are
>> not
>> >> sent, there is no notification in the chat window"
>> >>
>> >> The only way to fix it appears to be an update to MSNP18, which turns
>> out
>> >> to be relatively simple, but such a change may or may not be
>> problematic.
>> >
>> > In case no-one has noticed, I have plucked these changes as well.
>>
>> Oh awesome.  I had not noticed--thanks.
>>
>> > Any idea when we might be getting 2.10.2 out?
>>
>> Here's the info I have so far:
>>
>> - Needs work? Crash in Pidgin and Adium on XMPP MUC Presence.  Kevin
>> Stange reported this to this list on February 6th.  We think this was
>> inadvertently fixed in im.pidgin.pidgin, but has not been fixed in
>> im.pidgin.pidgin.2.x.y (right?).  This is not public.  I'll request a
>> CVE from the packagers mailing list once we have a patch.  We should
>> set an embargo date and hold off on committing the patch until the
>> embargo date (and release 2.10.2 on the same day).
>>
>> Elliott had suggested, "the check for if(!old_cbuddy) could be moved
>> up in pidgin_conv_chat_rename_user() to before attempting to complete
>> the rename."  If we're happy with that solution then we're good.  I
>> can commit that and push it on the embargo date.
>>
>>
> FYI, this is in fact what's done in #14392 below.
>
>
>> - Needs work: Pidgin crashes upon Nick change in SILC channel
>> (http://developer.pidgin.im/ticket/14864).  This is not yet fixed.
>> This is public.  I'm not aware of a CVE.  I'll request one from
>> oss-security at lists.openwall.com a few days before releasing.
>>
>>
> I recall someone discussing a change to purple_conv_chat_rename_user. Was
> that not ever implemented, or is it not related here at all?
>
>

Oh, right, that's #14392 also. Does it not fix this bug as well?


> - GTK+ in Windows crashes on non-BMP UTF-8 charpoints
>> (https://bugzilla.gnome.org/show_bug.cgi?id=668154).  Is there
>> anything we can do about this?  It sounds like it might be fixed in
>> new GTK... maybe we just need to bundle the new version?
>>
>> - Done... not sure if it's worth mentioning to packagers or requesting
>> a CVE: A fix for this is in the 2.x.y branch, but I can't tell if this
>> is a remote crasher: http://developer.pidgin.im/ticket/14392
>>
>>
> See above.
>
>
>> - Done: Fix possible crashes caused by not validating incoming MSN
>> messages as UTF-8 (http://developer.pidgin.im/ticket/14884).  This is
>> fixed.  This is public.  I'm not aware of a CVE.  I'll request one
>> from oss-security at lists.openwall.com a few days before releasing.
>>
>
> I wasn't sure if this would still occur, given the recent change to the
> sending of OIMs. Interestingly, even if you send an OIM with some other
> encoding, the OIM server tells your buddy the text is in UTF-8, without
> actually re-encoding anything. Don't know if it would also affect the
> official client too.
>
>
> --
Elliott aka QuLogic
Pidgin developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120225/eb156d5a/attachment.html>

More information about the security mailing list