libpurple vulnerabilities / State of the project
Felix Dreissig
f30 at f30.me
Wed Jan 14 16:30:16 UTC 2015
Hi,
On 14 Jan 2015, at 08:21, Thijs Alkemade <me at thijsalkema.de> wrote:
>> On 14 jan. 2015, at 00:29, Felix Dreissig <f30 at f30.me> wrote:
>>
>> Hi,
>>
>> on 22 October 2014, Pidgin 2.10.10 was released, fixing several security vulnerabilities. One of those is a arbitrary memory read via XMPP (CVE-2014-3698). I can see no indication that Adium might not be vulnerable to these issues.
>
> The vulnerability only applies when libpurple is built with libidn support, which Adium 1.5 isn’t.
Glad to hear that. This also leaves me less confused, since you are attributed as one of the issue’s discoverers as well.
Of to other security issues fixed in Pidgin 2.10.10, one other looks specific to Pidgin too (CVE-2014-3694), one only affects Windows (CVE-2014-3697) and one concerns the MXit protocol, which currently doesn’t seem to be supported by Adium (CVE-2014-3695).
Which leaves CVE-2014-3696 – can you tell anything about that in regard to Adium? Although GroupWise is presumably used much less than XMPP and it looks like „just“ a DoS without an option to anything more, it would still be an outstanding security issue.
Regards,
Felix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://adium.im/pipermail/devel_adium.im/attachments/20150114/1fbcee32/attachment.sig>
More information about the devel
mailing list