Security Bug in Pidgin-2.10.7

Radhesh Krishnan K radheshkrishnank at
Sat Apr 13 11:47:15 EDT 2013

Okay, May be I am wrong. Please help me to understand this.

FIle I am refering is "*

Code starting from here.

                case GG_STATE_TLS_NEGOTIATION:
                        int res;
                        X509 *peer;

                        gg_debug_session(sess, GG_DEBUG_MISC, "//
gg_watch_fd() GG_STATE_TLS_NEGOTIATION\n");

                        if ((res = SSL_connect(sess->ssl)) <= 0)

On Sat, Apr 13, 2013 at 9:12 PM, Ethan Blanton <elb at> wrote:

> Radhesh Krishnan K spake unto us the following wisdom:
> > libpurple is using openSSL. And I believe pidgin is using libpurple
> > that is why I said so. Actually security bug is with libpurple. I was
> > going through the code base and I found the openSSL APIs used in
> > libpurple as I have mentioned in the first mail.
> No, libpurple does not use OpenSSL, as it is license incompatible with
> our unmodified GPL v2 license.  Please indicate the specific file and
> line where you believe you have found OpenSSL code, as well as where
> you received your source code, and maybe we can clear up this
> confusion.
> Ethan
> Version: GnuPG v1.4.10 (GNU/Linux)
> iQEVAwUBUWl8yv8fixZ3H8crAQicegf7BDK9f9AIsACItwky0zGvxK50IscZ9ahe
> vNI6qs+703htIipjgl72Utd0tWp9CxWY4n804WBNd3G6TdWC1FJNsr6uRmwNFlIu
> zsrxqeMStW/KXywLlNCyQeJnaPlL95fq0Ztqx/KWcDlPpXWJKUUEEUQnQ4O4LLSs
> V7Zv6JBt3TklKMFz59gFfYSoncwhnp2VX7DizGc3lc8JrrPDfKMdxhTihS4YtKKo
> Wd7YaD/RSknq46LmXdyw9tiPykhYzL+s72EeVdyZB7LsKQAzixnMJe1BXBlBTbTB
> 9Ue+zd5I/tWIKp288kMaxNqw+mqFEdGcUzh3sBPJWMpCQF6GJw6wJg==
> =MCxq


Radhesh Krishnan K.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list