[Pidgin] #15285: libxml2 library out of date

Pidgin trac at pidgin.im
Sat Aug 25 20:36:59 EDT 2012

#15285: libxml2 library out of date
 Reporter:  ioerror          |     Owner:  datallah
     Type:  defect           |    Status:  new     
Component:  winpidgin (gtk)  |   Version:  2.10.6  
 Keywords:  security         |  
 It appears that the pidgin libxml2 library shipped with the Windows
 release is old and vulnerable:
 % objdump -d -p libxml2-2.dll|head

 libxml2-2.dll:     file format pei-i386

 Characteristics 0x2106
         line numbers stripped
         32 bit words

 Time/Date               Mon Sep 14 09:05:21 2009

 I noticed that the Windows Build (
 http://developer.pidgin.im/wiki/BuildingWinPidgin ) page suggests the
 Download libxml2-dev_2.7.4-1_win32.zip and libxml2_2.7.4-1_win32.zip.
 Extract both to $PIDGIN_DEV_ROOT/win32-dev/libxml2-2.7.4 (you'll need to
 create this directory).

 That isn't the correct version used in builds nor the most recent version
 of libxml2.

 When I look at the GTK website where those files live, I don't see a
 libxml2 build produced after 07-Apr-2010. It appears that the hash of the
 libxml2 shipped with pidgin is:
 % sha1sum libxml2-2.dll
 6f3b13168336aa531e019b7dd237ed51c2992511  libxml2-2.dll

 That appears to be the same as the file available (
 ) from gnome as libxml2_2.7.4-1_win32.zip:
 unzip libxml2_2.7.4-1_win32.zip
 Archive:  libxml2_2.7.4-1_win32.zip
   inflating: bin/libxml2-2.dll
   inflating: manifest/libxml2_2.7.4-1_win32.mft
 % sha1sum bin/libxml2-2.dll
 6f3b13168336aa531e019b7dd237ed51c2992511  bin/libxml2-2.dll

 So GTK's website actually has a newer, but still vulnerable libxml2-2.dll
 library and appears to pidgin ship one built on 14-Sep-2009. It appears
 that CVE-2010-4008 applies to this library:

Ticket URL: <http://developer.pidgin.im/ticket/15285>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list