Remote crash

Daniel Atallah daniel.atallah at
Wed Jan 16 15:43:32 EST 2013

On Wed, Jan 16, 2013 at 3:17 PM, Eion Robb <eion at> wrote:
> Since we ship our own libpango, are we better off taking a crack at fixing
> the bug, rather than working around it?
> I mean, if we were to go to the effort of sanitising everywhere that we
> receive user input (buddy name, alias, chat messages, im messages, topic,
> Get Info, notify windows, text input areas)....

Yeah, this certainly would be the best solution.  That would be the
real "central location" to fix the bug.

It's not too horrible to build Pango, but the code in question seemed
pretty arcane when I took a brief look at it.

I'd be happy to try to help you set up a build environment and we may
be able to get some tips from Behdad; his latest comment on the
bugzilla ticket indicated he may be able to point at a solution.


> On 17 January 2013 04:30, Ethan Blanton <elb at> wrote:
>> Daniel Atallah spake unto us the following wisdom:
>> > > I'm wondering if GtkIMHtml should filter stuff on the way through, in
>> > > Windows?  It sounds like maybe that's not perfect protection (I assume
>> > > you'd just have to put such a string in an invite or similar), but
>> > > it'd avoid channel-clearing etc.
>> >
>> > Yes, I've been meaning to do something like this.  I have an
>> > incomplete patch that sanitizes problematic characters out of strings
>> > (similar to what the plugin does).
>> > I was hoping for a more central location to do this rather than for
>> > GtkIMHtml, but that may not exist.
>> What about pidgin_utf8_salvage() and the associated conversion
>> functions?  On Windows, those could perform another pass to sanitize
>> the string.  It's ugly and kind of expensive, but maybe not as
>> crashy-crashy?
>> Ethan
>> _______________________________________________
>> security mailing list
>> security at

More information about the security mailing list