[pidgin-security] possible segfault in perl wrapper

Tomasz Wasilczyk tomkiewicz at cpw.pidgin.im
Thu Apr 18 09:03:00 EDT 2013

2013/4/18 Mark Doliner <mark at kingant.net>:
> I kinda think we should leave it in 3.0.0.  After your fix the
> function will be safe, right?  I kinda don't like having a perl plugin
> loader (I mean, who uses perl these days??), but I think we should
> continue to maintain it until we decide to remove it.  And I'd kinda
> rather not remove it until we have some semblance of stats on how many
> people use it.  I'm hoping Sanket's statscollector project can
> eventually be used for this purpose.

I've already removed it, but of course it's always possible to revert.

After my fix the function will be actually working. I don't believe,
that any useful and popular plugin uses it, while it fails for some
IPs. Anyway, as I wrote before, this function looks useless not only
for perl, so I removed it from libpurple API too [1].

3.0.0 breaks API, so no-one should expect reverse compatibility for
plugins - that's a chance for cleaning it up. If we really want
ip_atoi routine, it should return just an integer, not array of bytes
- that's way more popular format. But - do we really have to provide
such function in our API?


[1] https://hg.pidgin.im/pidgin/main/rev/7e3ea8475aad

More information about the security mailing list