Getting Pidgin 2.10.10 out the door

Tomasz Wasilczyk tomasz at
Sat Oct 4 03:59:06 EDT 2014

I'm getting back to home around 2014-10-09, so I won't be able to do any
implementation (if necessary) before that.

In my opinion, "gadu gadu issues" are not security threats, but it would be
helpful if any other dev could have his say. I am going to fix these in the
upcoming libgadu, but I'm not sure if we should backport these patches with
such short amount of time for testing.

We've been sitting on some vulnerabilities for quite a long time - it's
time for a release.

Here are the things that are committed and I think need CVEs for:

* VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
Service Vulnerability:
* VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
Service Vulnerabilities:
* VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write

Outstanding stuff:

* SSL certificate chain validation issues
* "libpurple gadu-gadu issues" thread

What else is outstanding?
Are there additional bugs we need to fix or patches we should apply?

How about targeting 10/15 for the release? Can we get the outstanding stuff
done by then?


security mailing list
security at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list