Security Bug in Pidgin-2.10.7

Ethan Blanton elb at
Sat Apr 13 11:55:45 EDT 2013

Radhesh Krishnan K spake unto us the following wisdom:
> Okay, May be I am wrong. Please help me to understand this.

This is a complex issue, actually.

> FIle I am refering is "*
> pidgin-2.10.7/libpurple/protocols/gg/lib/events.c:843*"

This file is an imported version of the externally-maintained libgadu

> Code starting from here.

We never set this flag.  When linking against an external libgadu, we
additionally have this check:

#error "libgadu is not compatible with the GPL when compiled with OpenSSL support."

This code is dead code in libpurple.  The issue you found may be real,
however, and should be taken up with the libgadu developers.  I have
Cc'd our own Tomasz Wasilczyk, who has worked with the libgadu
developers, and attached your original message.

-------------- next part --------------
An embedded message was scrubbed...
From: Radhesh Krishnan K <radheshkrishnank at>
Subject: Security Bug in Pidgin-2.10.7
Date: Sat, 13 Apr 2013 20:03:44 +0530
Size: 10928
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <>

More information about the security mailing list