Discussion:
libpurple vulnerabilities / State of the project
Felix Dreissig
2015-01-13 23:29:35 UTC
Permalink
Hi,

on 22 October 2014, Pidgin 2.10.10 was released, fixing several security vulnerabilities. One of those is a arbitrary memory read via XMPP (CVE-2014-3698). I can see no indication that Adium might not be vulnerable to these issues.

The latest release of Adium dates to 19 May 2014 and contains libpurple 2.10.9.
Overall project activity from the outside appears to have diminished: There is some commit activity, but the latest post on this mailing list is from September and even „Hot issues“ from the website like ticket 16834 rarely get someone working on them.

At the same time, Adium still is the common (and only?) solution for OTR on OS X and recommended to crypto novices [1] as well as journalists [2] as an anti-surveillance tool.
Is there any specific reason why development has declined or just the usual lack of time / people? How likely is this situation to persist? Can you name kinds of resources that would improve it and enable the project to get traction again?

Best regards,
Felix

[1] https://www.cryptoparty.in/overview_tools
[2] https://freedom.press/encryption-works
Thijs Alkemade
2015-01-14 07:21:24 UTC
Permalink
Hi Felix,
Post by Felix Dreissig
Hi,
on 22 October 2014, Pidgin 2.10.10 was released, fixing several security vulnerabilities. One of those is a arbitrary memory read via XMPP (CVE-2014-3698). I can see no indication that Adium might not be vulnerable to these issues.
The vulnerability only applies when libpurple is built with libidn support, which Adium 1.5 isn’t.
Post by Felix Dreissig
The latest release of Adium dates to 19 May 2014 and contains libpurple 2.10.9.
Overall project activity from the outside appears to have diminished: There is some commit activity, but the latest post on this mailing list is from September and even „Hot issues“ from the website like ticket 16834 rarely get someone working on them.
At the same time, Adium still is the common (and only?) solution for OTR on OS X and recommended to crypto novices [1] as well as journalists [2] as an anti-surveillance tool.
Is there any specific reason why development has declined or just the usual lack of time / people? How likely is this situation to persist? Can you name kinds of resources that would improve it and enable the project to get traction again?
The Adium project consists of volunteers who work on Adium in their free time. There are only a handful of developers left, and (speaking only for myself) with not as much motivation as before. The best resource to improve traction would obviously be more developers. :)

Best regards,
Thijs
Felix Dreissig
2015-01-14 16:30:16 UTC
Permalink
Hi,
Post by Thijs Alkemade
Post by Felix Dreissig
Hi,
on 22 October 2014, Pidgin 2.10.10 was released, fixing several security vulnerabilities. One of those is a arbitrary memory read via XMPP (CVE-2014-3698). I can see no indication that Adium might not be vulnerable to these issues.
The vulnerability only applies when libpurple is built with libidn support, which Adium 1.5 isn’t.
Glad to hear that. This also leaves me less confused, since you are attributed as one of the issue’s discoverers as well.

Of to other security issues fixed in Pidgin 2.10.10, one other looks specific to Pidgin too (CVE-2014-3694), one only affects Windows (CVE-2014-3697) and one concerns the MXit protocol, which currently doesn’t seem to be supported by Adium (CVE-2014-3695).
Which leaves CVE-2014-3696 – can you tell anything about that in regard to Adium? Although GroupWise is presumably used much less than XMPP and it looks like „just“ a DoS without an option to anything more, it would still be an outstanding security issue.

Regards,
Felix

Loading...