Forgot your password?
typodupeerror
Communications Businesses Google Security The Internet Technology

Pidgin Adds Google Talk Voice and Video Support (and a Vulnerability) 127

Posted by timothy
from the hey-sometimes-stuff-happens dept.
ottothecow writes "While various attempts at video and voice support have been in the pipeline since long before GAIM became Pidgin, fully functioning support over XMPP is on its way. Lifehacker reports that Pidgin 2.6 adds voice and video support for GChat (and presumably any other XMPP network) for Mac and Linux. Windows still has a few bugs but they are being worked on. Pidgin 2.6.1 is only available as source at the moment (but precompiled versions are available at getdeb)." Less happily, an anonymous reader writes "A remote arbitrary-code-execution vulnerability has been found in Libpurple (used by Pidgin and Adium instant messaging clients, among others), which can be triggered by a remote attacker by sending a specially crafted MSNSLP packet with invalid data to the client through the MSN server. No victim interaction is required, and the attacker is not required to be in the victim's buddy list (under default configuration)."
This discussion has been archived. No new comments can be posted.

Pidgin Adds Google Talk Voice and Video Support (and a Vulnerability)

Comments Filter:
  • Mac Binaries (Score:3, Informative)

    by slummy (887268) * <shawnuthNO@SPAMgmail.com> on Wednesday August 19, 2009 @05:47PM (#29125799) Homepage
    Are not available yet.... :(

    http://pdb.finkproject.org/pdb/package.php/pidgin [finkproject.org]
    • Re: (Score:1, Funny)

      by Anonymous Coward

      Get a compiler, and make them.

      • by Ilgaz (86384)

        If he has Fink, he already has compiler, some .info file having all the necessary patches and fixes to possible linuxism but it is not the deal.

        "compile your own" sounds more like "provide your .patch" which serves nothing to the purpose. We don't do such RTFM flames on OS X, at least yet.

        The idea behind Fink and Macports is to provide end user access to the gigantic Unix/BSD layer of OS X otherwise left unused unless he is a Developer and having same class of citizenship among other *nix operating systems.

      • by blueskies (525815)

        Let me guess? You're own of the pidgin asshats? I thought your project imploded after everyone realized what the developers really thought about their users.

      • Get a compiler, and make them.

        Alas, my friend. The Mac people have forgotten that they are Unix people. Or perhaps they have never known at all... Ah, the tragedy of it cuts me to the quick.

    • Re: (Score:2, Interesting)

      by nawcom (941663)

      Are not available yet.... :(

      Bah, don't worry; Adium will quickly integrate support I'm sure. I don't know about you but I'd prefer Adium over the Pidgin design for ANY operating system any day. Unfortunately they use Mac only frameworks. Porting (and most likely using an easy OS independent toolkit like Qt) would be a great project for inactive coders. Dunno about you, but I find Skype's interface 20 times more attractive than Pidgin's. Skype uses Qt 4.

    • by Ilgaz (86384)

      Getting Mac binaries via Fink is relatively easy. Send a polite mail to package maintainer describing the security issue and if you are experienced in Fink, just simply say "I tried to build (via my .info in local), it builds fine just by updating source URL" or "it doesn't build since it needs xxxx package updated".

      I bet in hours, it will popup in "fink selfupdate"

      BTW, Fink doesn't provide a lot of "apt-get deb" type binaries as OS X is an ever changing OS with things beyond their control (e.g. Apple addin

  • by pha7boy (1242512)

    "No victim interaction is required, and the attacker is not required to be in the victim's buddy list (under default configuration).

    ouch. that's a massive hole in security. I take it that would require re-write on the server side to prevent execution.

    • Re: (Score:2, Insightful)

      by Brian Gordon (987471)

      Server side? No.. it's a client issue.

      Anyway as far as I'm concerned Pidgin abandoned its credibility a long time ago. I don't need an IM application anyway; if I need to contact someone I just open Gmail. If they're not online then email is right there.

      • Re:ouch (Score:4, Insightful)

        by Luke has no name (1423139) <fox&cyberfoxfire,com> on Wednesday August 19, 2009 @06:27PM (#29126319)

        -1 for not backing up your statement on Pidgin's credibility.

        And good for you that all your contacts reside on GMail, and that you prefer a GMail's web app to a desktop app that centralizes the many forms of communication on the Net. If that works for you, fine. It does not work for me. I want faster response time, a unified UI for all my communication, more flexible message notification, logging, etc. that keeps me in control of my settings and data locally.

        cp -a /home/me/.purple/ /media/Backup/Pidgin/

        I have friends on AIM, Facebook, GMail, and one or two with their own XMPP address. Fortunately, I do not need MSN to contact anyone I know.

        • by blueskies (525815)

          Pidgin's credibility was thrown away when they decided their users didn't matter. Look it up. You'll find an epic bug report of the developers being asshats.

      • Re:ouch (Score:5, Funny)

        by 93 Escort Wagon (326346) on Wednesday August 19, 2009 @07:20PM (#29126849)

        I don't need an IM application anyway; if I need to contact someone I just open Gmail.

        If I need to contact someone, I just yell really loud.

        • Are you serious? Why would you waste your energy like that? When I need to contact someone, I summon my minions and have them deliver the desired person for a conversation.

        • Re: (Score:2, Funny)

          by Anonymous Coward

          Thanks, Vin Diesel.

          The rest of us have to use whistles.

      • by Ilgaz (86384)

        Pidgin is way more than "AOL client works under X11" now. It has became some kind of IM kernel&low level framework for instant messengers. So, you are in extremely funny area if you call it crap, you don't care about it and use state of art UI Adium instead.

        Mobile instant messengers, web services rely on Pidgin too.

        I use Pidgin compiled via Fink instead of Adium for a simple reason. I use Mac Mini on a 720P HDTV and X11 is the only thing which reliably allows huge fonts I need. Lets not forget the absol

    • by TheLink (130905)
      But that's not a server side problem.

      Think of pidgin as an exploitable email client. Just because the server by default passes messages from anyone (that's not blacklisted) to the client does not mean it's a server problem. And certainly does not mean the server should be rewritten.

      I'm not surprised pidgin has security problems. I stopped using pidgin because it crashes or locks up for stupid reasons. Pidgin is written in C. With C (or C++), "crash bugs" often turn out to be "remote execution of arbitrary c
    • by kestasjk (933987) *
      Well no, people who aren't buddies still need to be able to communicate, and you'd hope such communication would be checked extra thoroughly.

      I'm on Windows and use Pidgin only because I hate Windows Live Messenger, the ads and tabs and needless features and static "Vista-esque" window borders make it feel like 90's RealPlayer's take on IM. When Pidgin was crashing all the time during the last major update I gave Windows Live Messenger another honest go, but couldn't bear it.

      I even tried to get Pidgin
      • Re: (Score:3, Interesting)

        Err, the bug was already fixed and no vulnerable builds were even built for Windows. And incidentally, it'd be easier to just use the WinPidgin build environment fetcher script and cygwin or msys (I prefer msys) than try to compile it with eclipse, although once you have the environment set up eclipse should be able to use it as a Makefile project.
      • If you're on Windows, why do you even bother with Pidgin? There are numerous better native solutions; for a multi-network client (yes, it includes MSN/Live), I prefer Miranda IM as a very lightweight and stable client.

        • Re:ouch (Score:5, Funny)

          by Anonymous Coward on Thursday August 20, 2009 @03:47AM (#29130159)

          It's like carbon credits.

          It is for people who support FSF and feel guilty for running a closed source OS. Instead of actually installing Linux, they offset their use of closed source by installing an open source application. It helps to reduce the guilt and increase "street credentials" among their fellow dwellers of cubicles.

          As an example I have Windows XP running Photoshop. In order to offset I looked up the FSF Source-Credits Guide Lines and Regulations Handbook (FSCGLRH) and found out:

          Windows XP +10 Source Credits
          Photoshop = +5 Source Credits

          Offsets I selected:
          Pidgin = -4 Source Credits
          OpenOffice = -5 Source Credits
          Gimp* = -3 Source Credits
          Amaya** = -3 Source Credits

          *I do not use Gimp, however by installing it, I offset my credits by 3. Thereby reducing my guilt by d6 with a +1 modifier.
          ** I commonly use FireFox, however, it provides only 0 credits, Amaya on the other hand offsets my credits by 3.

          I am happy to say that I am Source Credit Neutral as defined by FSCGLRH. I am even thinking about installing X-Chat 2 in order to sell my credits to offset other people.

          • But Miranda IM is an Open Source client - it's GPL, and it doesn't get any more kosher than that.

            Or is it ritually impure because it is coded as a native Win32 application?

            • by Ilgaz (86384)

              Ritually impure I think. No kidding, if it linked to GTK2 , it would have better credibility as "open source". Weird but true.

              Also Miranda has tendency to stay simple, light and use whatever feature Windows frameworks provide to it. I remember it was one of the first (if not first) IM to use Win2k transparency feature among Windows clients. It had it because it made sense for an "always on top" thing to be transparent, not for show off purposes. Anyway, if you go to the author and suggest a "super cool" fea

    • Not surprising. As someone who has written an XMPP library that has to be compatible with the pile of crap now known as libpurple, it's clear that the authors read 'MUST NOT' in a specification as 'is probably a good idea'. I wouldn't trust code written by them anywhere near a machine that contained any important information.
  • on windows... if you've got security vulnerabilities, you should be pushing updates.

    Oh, and about a month ago MSN connectivity died anyway, so I switched to using the HTTP connecting method. From looking at the code, it seems this isn't affected by this issue.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      I'm not sure what platform you're on but that issue was related to the new version of nss turning off insecure hash algorithms, some of which are still used in MSN's cert. It just takes setting an environment variable to enable the hashes again.

      As far as updates, the client can be set to notify you of new updates, but since only windows would need auto update no one's ever gone about writing the code to do it.

    • Re: (Score:3, Informative)

      Well, if you enable the Release Notifications plugin it will tell you about updates. I did once post to the mailing list about adding an auto-update feature, but since Pidgin is multiplatform and a built-in autoupdate doesn't make sense on Linux with package managers, the idea was rejected. But really, the Release Notifications plugin is more or less good enough.
      • Re: (Score:1, Insightful)

        by Anonymous Coward

        That reason makes no sense at all. Look at firefox as an example. Firefox that comes with my version of Ubuntu disables the update feature because it gets handled by the package manager. However, I run Firefox 3.5, which I downloaded from Mozilla's site and that lets me update when it is available. There is no reason at all why pidgin couldn't write a OS agnostic (It's network code for God sakes) for an update and set an option in compilation that lets distributions disable it. All in all, a very piss poor

      • by Korin43 (881732)
        Or you could just use an operating system that does updates. Ubuntu apparently patched every version of pidgin that's available (even though for some reason they won't just update 2.5.9). Check out the notes [launchpad.net].
        • on Linux with package manager

          You were saying? It's not anything special about Ubuntu, most Linux distros have a package manager. But Ubuntu specifically seems to have a policy of not updating Pidgin except for security issues during releases. I'm surprised you haven't seen this: http://pidgin.im/download/ubuntu/ [pidgin.im]

    • by RiotingPacifist (1228016) on Wednesday August 19, 2009 @08:29PM (#29127469)

      Right if your running a vulnerable app, you should let it update itself, sigh!

    • "you should be pushing updates"

      That is NOT the open source way. I think that all open source advocates will agree (no matter which version of open source they advocate) that the strength of open source is CHOICE.

      No code is perfect. Windows users know as well as anyone that aggressively pushing updates can break applications, and even the OS. Remember XP SP2 and SP3? The SP2 issues never affected me, but one of my XP machines totally barfed when SP3 was installed.

      There is nothing to guarantee that pushing

  • ummmm? (Score:5, Informative)

    by CRiMSON (3495) <crimson@unspeak[ ]e.org ['abl' in gap]> on Wednesday August 19, 2009 @06:00PM (#29126005) Homepage

    2.6.1 is only available as source at the moment?

    http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.1.exe [sourceforge.net]

    So that's magic? If you install that do the terrorists win?

    • by Desler (1608317)
      It's even funnier because after it says that it's only available as source there is a link provided to compiled binaries. So which is it?
  • 5. Non-vulnerable packages * Libpurple >= 2.5.9 (Pidgin >= 2.5.9)

    But... but... which version of Pidgin has just been released? So hard to remember... must... concentrate, dammit!

    • Re: (Score:1, Informative)

      by Anonymous Coward

      I think they released 2.5.9, 2.6.0 and 2.6.1 on the same day. They are really trying hard to look amateurish.

      • Re: (Score:3, Insightful)

        No, they're trying to be professional and principled about things. Pidgin is one of the few projects that has standards about versioning, unlike eg. Firefox which goes more along the lines of whatever they feel like bumping the version by. More seriously, Firefox has a longer development cycle between major releases but in general they seem to just bump their version roughly proportionally to the amount of time a release was in development. In Pidgin land, major.minor.x releases are just security/bugfix rel
    • Re: (Score:3, Informative)

      So 2.5.9 is a stability release for distros/maintainers who don't want to upgrade to 2.6.0 for whatever reason. 2.6.0 was released at the same time as 2.5.9 but a bug was immediately found so then they released 2.6.1.
  • Ok, it's available from "getdeb". But where do I get it for plain Debian Stable (Lenny), or where do I get the .diff.gz and .dsc files to compile them myself?
  • A vulnerability that is ridiculously unlikely to ever be seen in the wild? Oh no!

  • . . . but if it's going through the MSN server, doesn't that imply that one would have to be running an MSN login?

    Does anyone actually use that anymore?
    • Yes, there are a lot of people still on MSN, and AIM, especially if they aren't that great with computers. A lot of them have Facebook, but Facebook chat is quite buggy and seems to fail on low-bandwith connections (and recently has forced me to spoof my user agents in order to use Facebook chat with alphas of Firefox....).
    • Sadly most non-technical users here in the UK do and most of them are very difficult to persude to either use a multiprotocol client or switch entirely.

    • Yes, because you can't just decide to use something different one day. Convincing all your friends to switch to something else isn't worth the effort.
    • by sqrt(2) (786011)

      It's highly regional. Japan I'm told is mostly Live Messenger (MSN). I actually like the MSN protocol more than AIM or anything else. The client too is very nice once you patch it to remove the ads and some other things. Unfortunately all of my friends still use AIM and there is nothing I can do to get them to switch. Some started using Skype for VOIP but they usually only turn it on when they want to make a call, preferring to use AIM the rest of the time.

    • by Abreu (173023)

      Since the local telecom monopoly here, Telmex, has an agreement with Microsoft, most internet users in Mexico use MSN for IM and Hotmail for email...

      Sad, but true... so I unavoidably have to have a MSN client if I want to IM with people here

      • Its simple... when asked for your IM address, say you use gtalk/gmail/jabber/xmpp and that you dont have MSM (you cant, you dont like, you dont agree with the MS policy, etc), then ask back if they have gmail or any other xmpp based service.If they complain that dont want to have 2 IM open, say they can install multiprotocol clients.

        in the start, you will be joked, later you will see some people starting to use other IM networks and when reach the critical mass, you will see that people start using both n

  • by Laven (102436) on Wednesday August 19, 2009 @06:31PM (#29126375)

    2.5.9 and 2.6.0 were both released Tuesday, August 18th addressing this security issue (CVE-2009-2694). 2.5.9 is 2.5.8 with only CVE-2009-2694 addressed and an unrelated crash bug fix. 2.6.0 contains CVE-2009-2694 in addition to many other bug fixes and the new Voice and Video support.

    Unfortunately, another security issue was discovered with sending URL's over the Yahoo protocol and 2.6.1 was released on Wednesday, August 19th. According to the pidgin developers, 2.5.9 was not affected by separate bug.

    Note: The Voice and Video support in pidgin-2.6.1 is a bit fragile. You MUST have the latest version of farsight2 and the stack of libraries it requires. You may also need to open ports on your firewall to allow it to connect.

    • Yes, this is what I've been trying to say all over this thread. The slashdot summary is horribly incorrect.
    • Re: (Score:2, Interesting)

      by Tenebrarum (887979)

      Note: The Voice and Video support in pidgin-2.6.1 is a bit fragile. You MUST have the latest version of farsight2 and the stack of libraries it requires. You may also need to open ports on your firewall to allow it to connect.

      To say the ruddy least. I've been trying to connect to friends' GTalk clients and it just doesn't work (although a couple of times I've managed to hear them).

      • by Ilgaz (86384)

        How come Google engineers doesn't give a hand to Pidgin developers on that GTalk issue? It has been months now, all they need is a SVN client or something.

        Isn't it the main purpose of using an open source framework like XMPP and enhancing on top of it instead of stupidly (hear me MS,AOL) trying to maintain your own closed network?

        One side of Google does a genius move as using XMPP for GTalk and other side doesn't take advantage of it on such a critical issue and leaves implementation to developers who are a

  • Pidgin got voice and video support? Add that to the list. [slashdot.org]
    Too bad Ubuntu is switching to Empathy. Sure, just apt-get pidgin back if you want it, but Telepathy is a much better way to do IM'ing anyway.
    I'm glad to see that Pidgin isn't as dead as we thought, but it's era is ending.
  • Pidgin Adds Google Talk Voice and Video Support and patches a Vulnerability

  • Federico Muttis discovered that libpurple, the shared library that adds support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer overflow. This issue exists because of an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can exploit this by sending two consecutive SLP packets to a victim via MSN.

    The first packet is used to create an SLP message object with an offset of zero, the second packet then contains a crafted offset which hits the
  • that's google talk's default privacy policy !
  • It's not the pidgin/purple/xmpp teams' fault(s), but this is astoundingly slow progress. That's one audio/video protocol out of many (msn, yahoo, etc. still need to be done from the sound of things). It's been years since the jingle reference library was opened up by google. In the meantime, google have moved on to Wave, twitter has happened, social networking has happened (granted, pidgin has a facebook IM extension), rapid download sites that compete with bittorrent have happened (and file transfers in

    • by CRCulver (715279)
      If the gaim crew hadn't been stuck in protracted negotiations over their name with AOL, progress would have happened much sooner. That year of stagnation as the team was told their project was infringing was a serious blow to development.
    • by cbhacking (979169)

      What really surprises me is lack of video over MSN, since Kopete (Konqueror's built-in IM client, which is in many ways comparable to Pidgin) has had MSN video chat for (about?) 2 years now, maybe longer. Both are open source, and while I'm not sure what Kopete's license is, surely they could share specifications even if they can't share code?

      • You mean KDE's client. Konqueror is a browser and does not include an IM client :)

        FWIW, Kopete is GPL, like Pidgin. Qt used to be GPL (until 4.5 when it was also released as LGPL) so you'll find all KDE software is GPL as well.

  • only for linux, so windows people are --t out of luck
  • Its a bit misleading to say that Pidgin now implements video and voice for XMPP networks. They have implemented video and voice for the protocols that Google Talk uses which are unique to Google Talk. Other services (such as iChat) use different video and voice protocols on XMPP (possible on the Google Talk network). Since there is no unified protocol for video and voice on XMPP each service uses their own "proprietary" protocols piggy backed on an XMPP network. I guess us snobby iChat users will just cont
    • Re: (Score:3, Insightful)

      by Paaskonijn (1220996)

      I guess us snobby iChat users will just continue to talk to each other.

      As if you'd have it any other way. ;)

    • by igjeff (15314)

      Uhm...to say that there is no unified protocol for video and voice on XMPP just doesn't match reality.

      The jingle specs are fairly universal in the XMPP world. Google's, interestingly enough, is actually a bit out of date at this point, but they've promised to update to the jingle specs once the XSF has settled them, which has only really happened pretty recently.

      Other clients that support some level of jingle A/V, where some of them may be audio only (and remember, there's basically no support needed at th

      • by uhoreg (583723)

        Telepathy/Empathy also supports Jingle. Coccinella (two "c"s) supports Jingle, but uses IAX [coccinella.im] as the transport, so you won't be able to chat with most other people.

        By the way, the base Jingle spec is XEP-0166 [xmpp.org], and was just recently advanced to "Draft" status.

  • Pidgin Adds Google Talk Voice and Video Support (and a Vulnerability)

    Yeah, get there where MS is I say!

  • This is especially great news for those of us in places like the middle east, where greedy telephone monopolies block traditional VoIP traffic in order to hold on to their ancient business models. Google talk is increasingly becoming the de facto standard for international calls for the migrant population and the like.
  • by Ilgaz (86384) on Thursday August 20, 2009 @06:42AM (#29130969) Homepage

    First of all, to that security company. Good job really publicizing a vulnerability without checking with unpaid developers of a complete open source project. Also whatever junk you use to create the pages pages doesn't work with Opera 10 and I am too tired to fire up another browser.

    Second: Where are you "web 2.0" cool privacy killing instant messenger sites built on Pidgin libraries, where is your patch to the security vulnerability? Can't you spare some of the entrepreneur provided millions to hire some actual developers and fix the issues with the core you rely on?

    Third: How hard to assign couple of MSN, AOL, Yahoo developers to Pidgin project by respective companies and let them maintain their own mess which they call a "protocol"? It is not like 100s of millions of Win32 users will use a GTK2 client on their Windows while you already push your own with OS install right? I talk about 3 guys at most, who will at least oversee the protocol development.

    All we "open standards" loving nerds are running bunch of closed source, proprietary, low quality, badly engineered IM protocols and at end, people who are unpaid, overworked struggling to keep up with the junk above gets the blame... It is a huge shame really.

  • hey look my first accepted story

No amount of genius can overcome a preoccupation with detail.

Working...