4 vulnerabilities in libpurple

Ethan Blanton elb at pidgin.im
Sat Feb 8 22:28:43 EST 2014

Richard Johnson spake unto us the following wisdom:
> We have 4 more lower severity vulnerabilities in libpurple to report. Three
> result in denial of service, and one allows an out-of-bounds write of a
> NULL value (this is considered potentially remote code execution so we may
> update the advisory title to reflect that before release, however we do not
> believe it is a high risk for exploitation attempts).
> Since they are lower severity and you just did a new release, I understand
> that it may take some time for these to get pushed out. I would appreciate
> an estimate on your next version release date so I can add that to our
> internal tracking system.

That's tough to say right now, since we just released in the past
week; however, I think we're probably looking at another 2-3 months at
the earliest for 2.10.10, assuming we don't release specifically for a
vulnerability or showstopper bug before then.  We have been discussing
some SSL/TLS changes that might push that forward a bit, but I don't
think we generally view them as urgent -- simply highly desirable.
We're gearing up for 3.0.0, which will be a very long release cycle as
it will require betas and release candidates and such, and I think
we're wanting to get that cycle started for SoC, which is going to
take a fair amount of our available time and energy.

I don't know if any other devs may want to weigh in on that
prognostication, but I think if you mark some time in early May it
won't be too far off the mark.  That said, if you don't want to wait
that long for disclosure for some particular reason, we can talk about
an earlier release.  We may also decide to push these vulnerabilities
a little bit sooner based on our own analysis (I haven't reviewed them
yet), and we'll get back to you on that relatively soon.


More information about the security mailing list