Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 1 Oct 2011 16:48:00 -0400
From: Ethan Blanton <>
Subject: libpurple vulnerability disclosure and fix

Hello all,

A libpurple vulnerability was made known to the Pidgin developers via
our public bug tracker which affects the SILC protocol plugin and all
software which uses SILC via libpurple.  The original identification
of the vulnerability and bug report was made by Diego Bauche Madero
from IOActive <>, and can be seen on the
Pidgin bug tracker as Bug #14636:

The vulnerability lies in calling g_markup_escape_text() on strings
which have not been verified as valid UTF-8.  This function is not
required to do anything reasonable with invalid UTF-8, and indeed
reads past the end of the string and will eventually segfault for
certain sequences in some versions of Glib 2.  Because the behavior of
this function is undefined, and depends on the particular version of
Glib 2 in use, the complete ramifications of this bug are unknown.
Remote crashing of a libpurple client by untrusted users via
specifically crafted SILC messages is a verified vulnerability.

This bug is believed to affect all releases of libpurple up to and
including version 2.10.0.

The correct fix for this bug is UTF-8 validation (and correction if
necessary) of the incoming string before passing it to Glib.  A patch
which provides this fix has been applied to the Pidgin sources in
revision 7eb1f6d56cc58bbb5b56b7df53955d36b9b419b8 and will appear in
all future Pidgin releases.  For reference, it is:

All packagers of libpurple (including monolithic Pidgin and/or finch
packages) who have not already done so are encouraged to apply this
change to their packages immediately.

We would also like to request a CVE number for this issue.

Any sensitive follow-ups to this issue, or any other Pidgin, finch, or
libpurple issue, may be directed to

Thank you,

Download attachment "signature.asc" of type "application/pgp-signature" (483 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.