Security Bug in Pidgin-2.10.7

Radhesh Krishnan K radheshkrishnank at gmail.com
Sat Apr 13 11:47:15 EDT 2013


Okay, May be I am wrong. Please help me to understand this.

FIle I am refering is "*
pidgin-2.10.7/libpurple/protocols/gg/lib/events.c:843*"

Code starting from here.

#ifdef GG_CONFIG_HAVE_OPENSSL
                case GG_STATE_TLS_NEGOTIATION:
                {
                        int res;
                        X509 *peer;

                        gg_debug_session(sess, GG_DEBUG_MISC, "//
gg_watch_fd() GG_STATE_TLS_NEGOTIATION\n");

                        if ((res = SSL_connect(sess->ssl)) <= 0)






On Sat, Apr 13, 2013 at 9:12 PM, Ethan Blanton <elb at pidgin.im> wrote:

> Radhesh Krishnan K spake unto us the following wisdom:
> > libpurple is using openSSL. And I believe pidgin is using libpurple
> > that is why I said so. Actually security bug is with libpurple. I was
> > going through the code base and I found the openSSL APIs used in
> > libpurple as I have mentioned in the first mail.
>
> No, libpurple does not use OpenSSL, as it is license incompatible with
> our unmodified GPL v2 license.  Please indicate the specific file and
> line where you believe you have found OpenSSL code, as well as where
> you received your source code, and maybe we can clear up this
> confusion.
>
> Ethan
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQEVAwUBUWl8yv8fixZ3H8crAQicegf7BDK9f9AIsACItwky0zGvxK50IscZ9ahe
> vNI6qs+703htIipjgl72Utd0tWp9CxWY4n804WBNd3G6TdWC1FJNsr6uRmwNFlIu
> zsrxqeMStW/KXywLlNCyQeJnaPlL95fq0Ztqx/KWcDlPpXWJKUUEEUQnQ4O4LLSs
> V7Zv6JBt3TklKMFz59gFfYSoncwhnp2VX7DizGc3lc8JrrPDfKMdxhTihS4YtKKo
> Wd7YaD/RSknq46LmXdyw9tiPykhYzL+s72EeVdyZB7LsKQAzixnMJe1BXBlBTbTB
> 9Ue+zd5I/tWIKp288kMaxNqw+mqFEdGcUzh3sBPJWMpCQF6GJw6wJg==
> =MCxq
> -----END PGP SIGNATURE-----
>
>


-- 




Regards,
Radhesh Krishnan K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130413/fad17014/attachment.html>


More information about the security mailing list