Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Pidgin Adds Google Talk Voice and Video Support (and a Vulnerability)

timothy posted more than 5 years ago | from the hey-sometimes-stuff-happens dept.

Communications 127

ottothecow writes "While various attempts at video and voice support have been in the pipeline since long before GAIM became Pidgin, fully functioning support over XMPP is on its way. Lifehacker reports that Pidgin 2.6 adds voice and video support for GChat (and presumably any other XMPP network) for Mac and Linux. Windows still has a few bugs but they are being worked on. Pidgin 2.6.1 is only available as source at the moment (but precompiled versions are available at getdeb)." Less happily, an anonymous reader writes "A remote arbitrary-code-execution vulnerability has been found in Libpurple (used by Pidgin and Adium instant messaging clients, among others), which can be triggered by a remote attacker by sending a specially crafted MSNSLP packet with invalid data to the client through the MSN server. No victim interaction is required, and the attacker is not required to be in the victim's buddy list (under default configuration)."

Sorry! There are no comments related to the filter you selected.

Mac Binaries (2, Informative)

slummy (887268) | more than 5 years ago | (#29125799)

Are not available yet.... :(

http://pdb.finkproject.org/pdb/package.php/pidgin [finkproject.org]

Re:Mac Binaries (1, Funny)

Anonymous Coward | more than 5 years ago | (#29125829)

Get a compiler, and make them.

Re:Mac Binaries (1)

Ilgaz (86384) | more than 5 years ago | (#29130911)

If he has Fink, he already has compiler, some .info file having all the necessary patches and fixes to possible linuxism but it is not the deal.

"compile your own" sounds more like "provide your .patch" which serves nothing to the purpose. We don't do such RTFM flames on OS X, at least yet.

The idea behind Fink and Macports is to provide end user access to the gigantic Unix/BSD layer of OS X otherwise left unused unless he is a Developer and having same class of citizenship among other *nix operating systems. The "end user" is the significant thing. They buy a Unix 03 compliant OS while buying OS X and they have full right to use all of its features without the needless ./configure and the chaos in /usr/local

Re:Mac Binaries (2, Interesting)

nawcom (941663) | more than 5 years ago | (#29128991)

Are not available yet.... :(

Bah, don't worry; Adium will quickly integrate support I'm sure. I don't know about you but I'd prefer Adium over the Pidgin design for ANY operating system any day. Unfortunately they use Mac only frameworks. Porting (and most likely using an easy OS independent toolkit like Qt) would be a great project for inactive coders. Dunno about you, but I find Skype's interface 20 times more attractive than Pidgin's. Skype uses Qt 4.

Re:Mac Binaries (2, Insightful)

am 2k (217885) | more than 5 years ago | (#29130195)

Bah, don't worry; Adium will quickly integrate support I'm sure.

(I'm an Adium dev)

Actually, it doesn't look like that right now. We have a severe shortage of programming contributors, and the only ones that could do this (me included) don't have the time for it.

Re:Mac Binaries (1)

Ilgaz (86384) | more than 5 years ago | (#29130843)

Getting Mac binaries via Fink is relatively easy. Send a polite mail to package maintainer describing the security issue and if you are experienced in Fink, just simply say "I tried to build (via my .info in local), it builds fine just by updating source URL" or "it doesn't build since it needs xxxx package updated".

I bet in hours, it will popup in "fink selfupdate"

BTW, Fink doesn't provide a lot of "apt-get deb" type binaries as OS X is an ever changing OS with things beyond their control (e.g. Apple adding new libxml in a simple system update). Of course, if you have a Desktop powerful machine, you can make it own binary distro server.

ouch (1)

pha7boy (1242512) | more than 5 years ago | (#29125841)

"No victim interaction is required, and the attacker is not required to be in the victim's buddy list (under default configuration).

ouch. that's a massive hole in security. I take it that would require re-write on the server side to prevent execution.

Re:ouch (1, Insightful)

Brian Gordon (987471) | more than 5 years ago | (#29125889)

Server side? No.. it's a client issue.

Anyway as far as I'm concerned Pidgin abandoned its credibility a long time ago. I don't need an IM application anyway; if I need to contact someone I just open Gmail. If they're not online then email is right there.

Re:ouch (0, Troll)

Anonymous Coward | more than 5 years ago | (#29125955)

I can't wait until Google has access to all information about everything and everyone. That's going to be great! Right? Hello?

Re:ouch (1)

tecnico.hitos (1490201) | more than 5 years ago | (#29128765)

Don't worry.

Google is watching you.

Re:ouch (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29126011)

Server side? No.. it's a client issue.

Anyway as far as I'm concerned Pidgin abandoned its credibility a long time ago. I don't need an IM application anyway; if I need to contact someone I just open Gmail. If they're not online then email is right there.

"Pidgin" is just a fancy word for the low-class broken English that most American blacks speak. Look it up if you don't believe me. So as far as I'm concerned, it never had any credibility in the first place.

Re:ouch (5, Interesting)

EvanED (569694) | more than 5 years ago | (#29126043)

"Pidgin" is just a fancy word for the low-class broken English that most American blacks speak. Look it up if you don't believe me. So as far as I'm concerned, it never had any credibility in the first place.

What? Way to project your own biases. "Pidgin" languages are any sort of conglomeration languages that develop when you have two peoples that don't have a common language who have to communicate.

In fact, the "low-class broken English that most American blacks speak" (let's even ignore the glaring inaccuracy of that phrase) is really not a pidgin language at all.

Re:ouch (0)

Anonymous Coward | more than 5 years ago | (#29126657)

"Pidgin" is just a fancy word for the low-class broken English that most American blacks speak. Look it up if you don't believe me. So as far as I'm concerned, it never had any credibility in the first place.

What? Way to project your own biases. "Pidgin" languages are any sort of conglomeration languages that develop when you have two peoples that don't have a common language who have to communicate.

In fact, the "low-class broken English that most American blacks speak" (let's even ignore the glaring inaccuracy of that phrase) is really not a pidgin language at all.

actually, what you are referring to is a creole - a mix of two languages. a pidgin is a subset of a language spoken by non-native speakers. pidgins become creoles when the non-native speakers add their own words and pass it on to their children as a de-facto native language for them.

Re:ouch (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29126699)

In fact, the "low-class broken English that most American blacks speak" (let's even ignore the glaring inaccuracy of that phrase) is really not a pidgin language at all.

I guess you're right, it's just shitty English. Sorry, I was giving them too much credit. Far too much, considering that every other ethnicity that comes to this country masters proper English and can speak it like a native within a generation or two. If a Chinese person can come to America and have children who speak English like a native speaker, how much of an excuse should we extend to black people whose ancestors have been in this country for at least 200 years?

They are trying to have their cake and eat it too. They want to maintain a distinctly separate culture with its own dialect, mannerisms, customs, and norms that flies in the face of the culture of the majority. This culture includes many maladaptive behaviors, such as glorifying and idolizing thugs or eschewing education because it's "too white". Then they insist that everyone else accept and adopt this culture because only a racist would not wish to have it imposed on him. Thus who rejects this culture is of course doing it out of racism and not because he doesn't want to acquire maladaptive behaviors rooted in an artificial group identity. This is a recipe for endless "racial" ("culture of people who look somewhat like you") conflict. Black people are their own worst enemies.

And the phrase was pretty accurate. Fo shizzle mah nizzle. Just answer one question: how many American blacks could call you on the telephone without you recognizing from their speech that they are black? The only people you might confuse them for are the suburban wiggers who are trying very hard to SOUND black. That's further proof that this is about culture and not really about race, otherwise they would be working very hard on their tans instead of working on their speech and mannerisms.

Once you see the silliness of all of this, you see it really is just shitty English and was only shitty English the whole time. It's just shitty English that enough people have identified with that it has become legitimized in the minds of those who don't think for themselves. This is defended from intellectual attack by answering all criticism with cries of "racism". Enjoy your political correctness.

Re:ouch (0)

Anonymous Coward | more than 5 years ago | (#29128421)

a pidgin is a mixture of languages with no grammar. i beleive it becomes a 'creole' when grammar developes.

Re:ouch (1)

Anonymous Psychopath (18031) | more than 5 years ago | (#29129335)

I've only ever heard pidgin in reference to something the locals in Hawaii speak, but never in reference to mainland black dialects. I think we're still calling that ebonics or some such made-up word?

Re:ouch (2, Funny)

Anonymous Coward | more than 5 years ago | (#29129717)

I think we're still calling that ebonics or some such made-up word?
As opposed to every other word out there that was found in nature?

Made-up words (0)

Anonymous Coward | more than 5 years ago | (#29129917)

Ah yes, "made-up words." Totally inferior to those words that humanity was blessed with when they were handed down by the angels.

Re:ouch (1)

CRCulver (715279) | more than 5 years ago | (#29130173)

The term "Ebonics" is a sensationalist media creation. In linguistics, the term is African-American Vernacular English, usually abbreviated AAVE.

Re:ouch (1)

RichardJenkins (1362463) | more than 5 years ago | (#29126755)

No, you're thinking (I kid! I kid!) of the word "patois". Pidgin is quite a good name for an IM client that can be used for many different, incompatible protocols.

Re:ouch (0)

Anonymous Coward | more than 5 years ago | (#29128657)

"Pidgin" is just a fancy word for the low-class broken English that most American blacks speak. Look it up if you don't believe me. So as far as I'm concerned, it never had any credibility in the first place.

So, I didn't believe you. And I looked it up. And you're wrong.
http://en.wikipedia.org/wiki/Pidgin
I think you meant Ebonics.

Re:ouch (1)

V!NCENT (1105021) | more than 5 years ago | (#29130385)

Don't you think that a pidgin is just a bird that people used to send mail to each other when there was no post office, like they did in medieval times, you fucking retard?!

Re:ouch (1)

CRCulver (715279) | more than 5 years ago | (#29130447)

That would be a pigeon, not a pidgin.

Re:ouch (1)

V!NCENT (1105021) | more than 5 years ago | (#29130651)

Pidgin could be a pidgin word for pigeon as the logo of the IM client suggests. So I stand for 30% corrected.

Re:ouch (1)

CRCulver (715279) | more than 5 years ago | (#29130705)

"Pidgin" is actually a Pidgin word for "business".

Re:ouch (4, Insightful)

Luke has no name (1423139) | more than 5 years ago | (#29126319)

-1 for not backing up your statement on Pidgin's credibility.

And good for you that all your contacts reside on GMail, and that you prefer a GMail's web app to a desktop app that centralizes the many forms of communication on the Net. If that works for you, fine. It does not work for me. I want faster response time, a unified UI for all my communication, more flexible message notification, logging, etc. that keeps me in control of my settings and data locally.

cp -a /home/me/.purple/ /media/Backup/Pidgin/

I have friends on AIM, Facebook, GMail, and one or two with their own XMPP address. Fortunately, I do not need MSN to contact anyone I know.

Re:ouch (4, Funny)

93 Escort Wagon (326346) | more than 5 years ago | (#29126849)

I don't need an IM application anyway; if I need to contact someone I just open Gmail.

If I need to contact someone, I just yell really loud.

Re:ouch (1)

icannotthinkofaname (1480543) | more than 5 years ago | (#29129059)

Are you serious? Why would you waste your energy like that? When I need to contact someone, I summon my minions and have them deliver the desired person for a conversation.

Re:ouch (2, Funny)

Anonymous Coward | more than 5 years ago | (#29129275)

Thanks, Vin Diesel.

The rest of us have to use whistles.

Re:ouch (1)

Ilgaz (86384) | more than 5 years ago | (#29130775)

Pidgin is way more than "AOL client works under X11" now. It has became some kind of IM kernel&low level framework for instant messengers. So, you are in extremely funny area if you call it crap, you don't care about it and use state of art UI Adium instead.

Mobile instant messengers, web services rely on Pidgin too.

I use Pidgin compiled via Fink instead of Adium for a simple reason. I use Mac Mini on a 720P HDTV and X11 is the only thing which reliably allows huge fonts I need. Lets not forget the absolutely low level (1%) CPU usage too.

Re:ouch (1)

TheLink (130905) | more than 5 years ago | (#29126265)

But that's not a server side problem.

Think of pidgin as an exploitable email client. Just because the server by default passes messages from anyone (that's not blacklisted) to the client does not mean it's a server problem. And certainly does not mean the server should be rewritten.

I'm not surprised pidgin has security problems. I stopped using pidgin because it crashes or locks up for stupid reasons. Pidgin is written in C. With C (or C++), "crash bugs" often turn out to be "remote execution of arbitrary code of the attacker's choice" bugs.

Re:ouch (1)

kestasjk (933987) | more than 5 years ago | (#29126551)

Well no, people who aren't buddies still need to be able to communicate, and you'd hope such communication would be checked extra thoroughly.

I'm on Windows and use Pidgin only because I hate Windows Live Messenger, the ads and tabs and needless features and static "Vista-esque" window borders make it feel like 90's RealPlayer's take on IM. When Pidgin was crashing all the time during the last major update I gave Windows Live Messenger another honest go, but couldn't bear it.

I even tried to get Pidgin compiling in Eclipse to lend my eyeballs and shallow out a few bugs, but it's very unix-oriented unfortunately and I also found the code very difficult to navigate. I think that's because I use it for MSN and it's supposed to be multi-client, but even so the module interfaces were far from self-explanatory.
More than anything I feel like C just isn't an appropriate language for something that'd have such an impact if a hole is found, why not Java, or Mono?

Can you imagine the chaos if a similar bug was found in Windows Live Messenger? Even if it was "only" limited to people on your friends list it'd be the biggest worm since Blaster. Maybe I'll try again now, since at the moment I have to have Pidgin offline, but I really wish there was an FOSS MSN client for Windows that gets the basics right and is secure (and not just because no-one has heard of it).

Of course this is a crappy thing to get at a celebratory new release time, and if Pidgin devs are reading I do appreciate the work a lot, but more than any network enabled app that I have running 24/7 Pidgin is by far the most concerning.

tl;dr: Pidgin need to sort their shit out regarding security, but thanks for keeping the updates coming

Re:ouch (2, Interesting)

i.of.the.storm (907783) | more than 5 years ago | (#29126715)

Err, the bug was already fixed and no vulnerable builds were even built for Windows. And incidentally, it'd be easier to just use the WinPidgin build environment fetcher script and cygwin or msys (I prefer msys) than try to compile it with eclipse, although once you have the environment set up eclipse should be able to use it as a Makefile project.

Re:ouch (1)

shutdown -p now (807394) | more than 5 years ago | (#29128365)

If you're on Windows, why do you even bother with Pidgin? There are numerous better native solutions; for a multi-network client (yes, it includes MSN/Live), I prefer Miranda IM as a very lightweight and stable client.

Re:ouch (5, Funny)

Anonymous Coward | more than 5 years ago | (#29130159)

It's like carbon credits.

It is for people who support FSF and feel guilty for running a closed source OS. Instead of actually installing Linux, they offset their use of closed source by installing an open source application. It helps to reduce the guilt and increase "street credentials" among their fellow dwellers of cubicles.

As an example I have Windows XP running Photoshop. In order to offset I looked up the FSF Source-Credits Guide Lines and Regulations Handbook (FSCGLRH) and found out:

Windows XP +10 Source Credits
Photoshop = +5 Source Credits

Offsets I selected:
Pidgin = -4 Source Credits
OpenOffice = -5 Source Credits
Gimp* = -3 Source Credits
Amaya** = -3 Source Credits

*I do not use Gimp, however by installing it, I offset my credits by 3. Thereby reducing my guilt by d6 with a +1 modifier.
** I commonly use FireFox, however, it provides only 0 credits, Amaya on the other hand offsets my credits by 3.

I am happy to say that I am Source Credit Neutral as defined by FSCGLRH. I am even thinking about installing X-Chat 2 in order to sell my credits to offset other people.

Re:ouch (1)

shutdown -p now (807394) | more than 5 years ago | (#29130185)

But Miranda IM is an Open Source client - it's GPL, and it doesn't get any more kosher than that.

Or is it ritually impure because it is coded as a native Win32 application?

Re:ouch (1)

Ilgaz (86384) | more than 5 years ago | (#29130717)

Ritually impure I think. No kidding, if it linked to GTK2 , it would have better credibility as "open source". Weird but true.

Also Miranda has tendency to stay simple, light and use whatever feature Windows frameworks provide to it. I remember it was one of the first (if not first) IM to use Win2k transparency feature among Windows clients. It had it because it made sense for an "always on top" thing to be transparent, not for show off purposes. Anyway, if you go to the author and suggest a "super cool" feature which will add bulk to client but will benefit 1%, it will likely be ignored. Such open source gets limited support.

Re:ouch (1)

DaVince21 (1342819) | more than 5 years ago | (#29130907)

But what guilt, exactly? I didn't realize using (most) products made by companies induced guilt...

Re:ouch (1)

TheRaven64 (641858) | more than 5 years ago | (#29126951)

Not surprising. As someone who has written an XMPP library that has to be compatible with the pile of crap now known as libpurple, it's clear that the authors read 'MUST NOT' in a specification as 'is probably a good idea'. I wouldn't trust code written by them anywhere near a machine that contained any important information.

Re:ouch (-1, Troll)

Anonymous Coward | more than 5 years ago | (#29127763)

There's a surprise - another Microsoft product with a remote code execution vulnerability. They should make it part of their campaign for their new "cloud" offering: "Microsoft: executing code remotely on more machines than anyone else".

Re:ouch (1)

skaet (841938) | more than 5 years ago | (#29128753)

Love it when posters don't read the summary. The vulnerability was found in libpurple. Not the MSN service.

How about some autoupdate? (1)

QuantumG (50515) | more than 5 years ago | (#29125911)

on windows... if you've got security vulnerabilities, you should be pushing updates.

Oh, and about a month ago MSN connectivity died anyway, so I switched to using the HTTP connecting method. From looking at the code, it seems this isn't affected by this issue.

Re:How about some autoupdate? (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29126387)

I'm not sure what platform you're on but that issue was related to the new version of nss turning off insecure hash algorithms, some of which are still used in MSN's cert. It just takes setting an environment variable to enable the hashes again.

As far as updates, the client can be set to notify you of new updates, but since only windows would need auto update no one's ever gone about writing the code to do it.

Re:How about some autoupdate? (2, Informative)

i.of.the.storm (907783) | more than 5 years ago | (#29126505)

Well, if you enable the Release Notifications plugin it will tell you about updates. I did once post to the mailing list about adding an auto-update feature, but since Pidgin is multiplatform and a built-in autoupdate doesn't make sense on Linux with package managers, the idea was rejected. But really, the Release Notifications plugin is more or less good enough.

Re:How about some autoupdate? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29129823)

That reason makes no sense at all. Look at firefox as an example. Firefox that comes with my version of Ubuntu disables the update feature because it gets handled by the package manager. However, I run Firefox 3.5, which I downloaded from Mozilla's site and that lets me update when it is available. There is no reason at all why pidgin couldn't write a OS agnostic (It's network code for God sakes) for an update and set an option in compilation that lets distributions disable it. All in all, a very piss poor excuse.

Re:How about some autoupdate? (4, Insightful)

RiotingPacifist (1228016) | more than 5 years ago | (#29127469)

Right if your running a vulnerable app, you should let it update itself, sigh!

Re:How about some autoupdate? (1)

Runaway1956 (1322357) | more than 5 years ago | (#29127607)

"you should be pushing updates"

That is NOT the open source way. I think that all open source advocates will agree (no matter which version of open source they advocate) that the strength of open source is CHOICE.

No code is perfect. Windows users know as well as anyone that aggressively pushing updates can break applications, and even the OS. Remember XP SP2 and SP3? The SP2 issues never affected me, but one of my XP machines totally barfed when SP3 was installed.

There is nothing to guarantee that pushing an update for Pidgin onto your machine, without even asking you first, won't make YOUR machine barf. Much better to allow you to find the update, download it, MAKE A BACKUP, then install it yourself. OK, so your machine didn't barf, but some little obscure feature that you just LOVE has stopped working. Do a restore, and you've got your feature back, no problem.

See? Choice, and control over your own machine. Don't ask an open source operation to push updates.

ummmm? (5, Informative)

CRiMSON (3495) | more than 5 years ago | (#29126005)

2.6.1 is only available as source at the moment?

http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.1.exe [sourceforge.net]

So that's magic? If you install that do the terrorists win?

Re:ummmm? (1)

Desler (1608317) | more than 5 years ago | (#29126039)

It's even funnier because after it says that it's only available as source there is a link provided to compiled binaries. So which is it?

Holy contradictory stories, Batman! (1)

Rogerborg (306625) | more than 5 years ago | (#29126065)

5. Non-vulnerable packages * Libpurple >= 2.5.9 (Pidgin >= 2.5.9)

But... but... which version of Pidgin has just been released? So hard to remember... must... concentrate, dammit!

Re:Holy contradictory stories, Batman! (0)

Anonymous Coward | more than 5 years ago | (#29126113)

How is this contradictory? 2.6.1 was just released, adding new features. In unrelated news, anything older than 2.5.9 is vulnerable to a particular exploit.

Re:Holy contradictory stories, Batman! (1)

CannonballHead (842625) | more than 5 years ago | (#29126225)

Hardly unrelated. So related, in fact, that it would have been nice if the summary made mention of the fact that it only affects

It'd be like me saying "New Linux Kernel released! Also, Linux has a security hole that allows arbitrary code execution!" And then, in small print, "Oh, by the way, it only affects

Re:Holy contradictory stories, Batman! (1)

petermgreen (876956) | more than 5 years ago | (#29126537)

I would agree with you if it wasn't for the fact that 2.5.9, 2.6.0 and 2.6.1 were released on the same day.

So unless you were very agressive with your updating you would most likely still be running an affected version.

Re:Holy contradictory stories, Batman! (1)

i.of.the.storm (907783) | more than 5 years ago | (#29126729)

Nonono, you don't get it. 2.5.9 contains the bug fix for people/distros who don't want to move to a new major release. 2.6.0 was released, but it had a separate bug, so 2.6.1 was released later that day to fix that bug. Either way, most people should be safe, since 2.6.0 hardly had a chance to be recommended.

Re:Holy contradictory stories, Batman! (1)

petermgreen (876956) | more than 5 years ago | (#29130935)

Nonono, you don't get it. 2.5.9 contains the bug fix for people/distros who don't want to move to a new major release.
Do you have anything to back up that claim or is it just a guess?

Re:Holy contradictory stories, Batman! (1, Informative)

Anonymous Coward | more than 5 years ago | (#29126159)

I think they released 2.5.9, 2.6.0 and 2.6.1 on the same day. They are really trying hard to look amateurish.

Re:Holy contradictory stories, Batman! (2, Insightful)

i.of.the.storm (907783) | more than 5 years ago | (#29126761)

No, they're trying to be professional and principled about things. Pidgin is one of the few projects that has standards about versioning, unlike eg. Firefox which goes more along the lines of whatever they feel like bumping the version by. More seriously, Firefox has a longer development cycle between major releases but in general they seem to just bump their version roughly proportionally to the amount of time a release was in development. In Pidgin land, major.minor.x releases are just security/bugfix releases, major.minor releases add features, and major releases break API, or something along those lines. 2.5.9 is a separate line from 2.6, and it's just to patch the vulnerability for those that won't move to the 2.6 line right away.

Re:Holy contradictory stories, Batman! (2, Informative)

i.of.the.storm (907783) | more than 5 years ago | (#29126315)

So 2.5.9 is a stability release for distros/maintainers who don't want to upgrade to 2.6.0 for whatever reason. 2.6.0 was released at the same time as 2.5.9 but a bug was immediately found so then they released 2.6.1.

Where is the source package? (1)

GPLHost-Thomas (1330431) | more than 5 years ago | (#29126211)

Ok, it's available from "getdeb". But where do I get it for plain Debian Stable (Lenny), or where do I get the .diff.gz and .dsc files to compile them myself?

Re:Where is the source package? (1)

Raptor851 (1557585) | more than 5 years ago | (#29126351)

same place it's always been http://sourceforge.net/projects/pidgin/ [sourceforge.net]

Re:Where is the source package? (-1, Flamebait)

GPLHost-Thomas (1330431) | more than 5 years ago | (#29126421)

Are you dumb or just dumb? Or maybe is it that you can't read?

I am talking about the DEBIAN source package, made out of a .orig.tar.gz, a .dsc and a .diff.gz. That is 3 files, not 1 tar.bz2...

Re:Where is the source package? (1)

petermgreen (876956) | more than 5 years ago | (#29126461)

There are debianised source packages for 2.6.1 on getdeb (you have to follow the link for a particular distro release and then there is a source link there), dunno how well made they are.

2.5.9 is availible in debian sid and at least up until now i've found sid's pidgin packages compile fine on lenny.

Re:Where is the source package? (2, Informative)

petermgreen (876956) | more than 5 years ago | (#29126933)

Here is a recipie to build a set of 2.6.1 packages for debian lenny based on the packaging ari has done for sid (but not uploaded yet hence the download from svn.debian.org).

wget http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.1.tar.bz2 [sourceforge.net]
bunzip2 pidgin-2.6.1.tar.bz2
tar -xf pidgin-2.6.1.tar
gzip pidgin-2.6.1.tar
mv pidgin-2.6.1.tar.gz pidgin_2.6.1.orig.tar.gz
cd pidgin-2.6.1
svn export -r 14052 svn://svn.debian.org/svn/collab-maint/deb-maint/pidgin/trunk/debian
sed -i s/tcl8.6-dev/tcl8.5-dev/ debian/control
sed -i s/tk8.6-dev/tk8.5-dev/ debian/control
sed -i 's/libgstfarsight0.10-dev (>= 0.0.9),//' debian/control
sed -i 's/(>= 0.4.53)//' debian/control
sed -i 's/(>= 1.1.1)//' debian/control
sed -i 's/--enable-vv/--disable-vv/' debian/rules
dpkg-buildpackage

if it complains about missing build-depends install them and run dpkg-buildpackage again

note: I had to disable video/voice because libgstfarsight is not available in lenny.

Voice and video programs (0)

Anonymous Coward | more than 5 years ago | (#29126275)

Is there a good, reliable program that's available for Windows and Mac OS X for voice and video communication?

And no, I'm not going to install anything from Microsoft.

Re:Voice and video programs (1)

Darkness404 (1287218) | more than 5 years ago | (#29126383)

Skype?

Pidgin is actually pretty good in the amount of things it supports, I have some friends on AIM, MSN, and others on various others. It helps centralize things.

The vulnerability wasn't ADDED it was FIXED! (0)

Anonymous Coward | more than 5 years ago | (#29126313)

The vulnerability was fixed in 2.5.9 which was released just before the major update 2.6

So the msn server has to attack you? (1)

phantomcircuit (938963) | more than 5 years ago | (#29126331)

A vulnerability that is ridiculously unlikely to ever be seen in the wild? Oh no!

Re:So the msn server has to attack you? (0)

Anonymous Coward | more than 5 years ago | (#29129491)

Please read the advisory again. That's not the scenario.

Incorrect news: vulnerability is fixed (0)

Anonymous Coward | more than 5 years ago | (#29126345)

It looks like this reported vulnerability was fixed in 2.5.9 already:

http://developer.pidgin.im/wiki/ChangeLog#version2.5.908182009 [pidgin.im]

Another thing to note is that the link in the post also states this:

4. Vulnerable packages

        * Gaim >= 0.79
        * Libpurple = 2.5.8 (Pidgin = 2.5.8 and Adium = 1.3.5)
        * Other Libpurple frontends such as Finch might be vulnerable as well.

However, the latest version of Pidgin that adds the voice and video support is 2.6.1. I would say that this makes 2.6.1 much safer and feature rich than the versions we are currently running.

So I don't know a damn thing about this. . . (1)

MagusSlurpy (592575) | more than 5 years ago | (#29126357)

. . . but if it's going through the MSN server, doesn't that imply that one would have to be running an MSN login?

Does anyone actually use that anymore?

Re:So I don't know a damn thing about this. . . (1)

Darkness404 (1287218) | more than 5 years ago | (#29126441)

Yes, there are a lot of people still on MSN, and AIM, especially if they aren't that great with computers. A lot of them have Facebook, but Facebook chat is quite buggy and seems to fail on low-bandwith connections (and recently has forced me to spoof my user agents in order to use Facebook chat with alphas of Firefox....).

Re:So I don't know a damn thing about this. . . (1)

petermgreen (876956) | more than 5 years ago | (#29126495)

Sadly most non-technical users here in the UK do and most of them are very difficult to persude to either use a multiprotocol client or switch entirely.

Re:So I don't know a damn thing about this. . . (1)

geckipede (1261408) | more than 5 years ago | (#29126817)

Yes, because you can't just decide to use something different one day. Convincing all your friends to switch to something else isn't worth the effort.

Re:So I don't know a damn thing about this. . . (1)

sqrt(2) (786011) | more than 5 years ago | (#29126935)

It's highly regional. Japan I'm told is mostly Live Messenger (MSN). I actually like the MSN protocol more than AIM or anything else. The client too is very nice once you patch it to remove the ads and some other things. Unfortunately all of my friends still use AIM and there is nothing I can do to get them to switch. Some started using Skype for VOIP but they usually only turn it on when they want to make a call, preferring to use AIM the rest of the time.

Re:So I don't know a damn thing about this. . . (1)

Abreu (173023) | more than 5 years ago | (#29127081)

Since the local telecom monopoly here, Telmex, has an agreement with Microsoft, most internet users in Mexico use MSN for IM and Hotmail for email...

Sad, but true... so I unavoidably have to have a MSN client if I want to IM with people here

Just say no! (1)

higuita (129722) | more than 5 years ago | (#29130109)

Its simple... when asked for your IM address, say you use gtalk/gmail/jabber/xmpp and that you dont have MSM (you cant, you dont like, you dont agree with the MS policy, etc), then ask back if they have gmail or any other xmpp based service.If they complain that dont want to have 2 IM open, say they can install multiprotocol clients.

in the start, you will be joked, later you will see some people starting to use other IM networks and when reach the critical mass, you will see that people start using both network, and even later msn will slowly lose people because of the virus/spam/etc

yes, in the start you will not be able to talk with many people, but that is required to force others to open up, if sooner or later they want to talk with you, they will have to open one account and after that is easier...

the change start with you

Re:So I don't know a damn thing about this. . . (0)

Anonymous Coward | more than 5 years ago | (#29130205)

Sad, but true... so I unavoidably have to have a MSN client if I want to IM with people here

Not really, this is exactly why XMPP (aka Jabber) was invented. Create an XMPP account on a server that allows transports, create an MSN account, add an MSN transport to your XMPP contact list. Now you can chat to people who use MSN as well as XMPP, using just your XMPP account. There are transports for AIM and other protocols as well.

I've been pushing XMPP a little among my friends. Unfortunately most of them are still on MSN but I'm starting to gain a few XMPP contacts.

To GP: MSN is unfortunately still very big in Europe as well. On the plus side, MSN integrates very nicely with XBox Live.

2.5.9 and 2.6.1 are different releases (5, Informative)

Laven (102436) | more than 5 years ago | (#29126375)

2.5.9 and 2.6.0 were both released Tuesday, August 18th addressing this security issue (CVE-2009-2694). 2.5.9 is 2.5.8 with only CVE-2009-2694 addressed and an unrelated crash bug fix. 2.6.0 contains CVE-2009-2694 in addition to many other bug fixes and the new Voice and Video support.

Unfortunately, another security issue was discovered with sending URL's over the Yahoo protocol and 2.6.1 was released on Wednesday, August 19th. According to the pidgin developers, 2.5.9 was not affected by separate bug.

Note: The Voice and Video support in pidgin-2.6.1 is a bit fragile. You MUST have the latest version of farsight2 and the stack of libraries it requires. You may also need to open ports on your firewall to allow it to connect.

Re:2.5.9 and 2.6.1 are different releases (1)

i.of.the.storm (907783) | more than 5 years ago | (#29126765)

Yes, this is what I've been trying to say all over this thread. The slashdot summary is horribly incorrect.

Re:2.5.9 and 2.6.1 are different releases (2, Interesting)

Tenebrarum (887979) | more than 5 years ago | (#29127259)

Note: The Voice and Video support in pidgin-2.6.1 is a bit fragile. You MUST have the latest version of farsight2 and the stack of libraries it requires. You may also need to open ports on your firewall to allow it to connect.

To say the ruddy least. I've been trying to connect to friends' GTalk clients and it just doesn't work (although a couple of times I've managed to hear them).

Re:2.5.9 and 2.6.1 are different releases (1)

Ilgaz (86384) | more than 5 years ago | (#29130801)

How come Google engineers doesn't give a hand to Pidgin developers on that GTalk issue? It has been months now, all they need is a SVN client or something.

Isn't it the main purpose of using an open source framework like XMPP and enhancing on top of it instead of stupidly (hear me MS,AOL) trying to maintain your own closed network?

One side of Google does a genius move as using XMPP for GTalk and other side doesn't take advantage of it on such a critical issue and leaves implementation to developers who are already terribly busy keeping up 3rd party junk compatibility and security issues. This doesn't make sense. Did you see the things they have to do just to stay online on MSN network? At one point, they had to send random junk to server since that was what MSN actually did with their own official IM client.

About time (1)

SilverHatHacker (1381259) | more than 5 years ago | (#29126389)

Pidgin got voice and video support? Add that to the list. [slashdot.org]
Too bad Ubuntu is switching to Empathy. Sure, just apt-get pidgin back if you want it, but Telepathy is a much better way to do IM'ing anyway.
I'm glad to see that Pidgin isn't as dead as we thought, but it's era is ending.

Change headline please. It's misleading. (1)

BikeHelmet (1437881) | more than 5 years ago | (#29126437)

Pidgin Adds Google Talk Voice and Video Support and patches a Vulnerability

Easy fix for MSN vulnerability (0)

Anonymous Coward | more than 5 years ago | (#29126485)

Go to Tools> Privacy> [MSN Acccount> "Allow only the users on my buddy list"

Nowadays, not doing so is like turning off caller ID on your mobile.

Re:Easy fix for MSN vulnerability (2, Informative)

NevarMore (248971) | more than 5 years ago | (#29127543)

Easier fix. Don't use MSN.

Re:Easy fix for MSN vulnerability (1)

Jugalator (259273) | more than 5 years ago | (#29130053)

That's one of those things that is very easy to fix for yourself, but not all your friends.

Oh wait, maybe I used an unknown word on Slashdot now. ;-)

Debian Lenny has already a fix! (1)

GPLHost-Thomas (1330431) | more than 5 years ago | (#29126539)

Federico Muttis discovered that libpurple, the shared library that adds support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer overflow. This issue exists because of an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can exploit this by sending two consecutive SLP packets to a victim via MSN.

The first packet is used to create an SLP message object with an offset of zero, the second packet then contains a crafted offset which hits the vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and allows an attacker to execute arbitrary code.

Note: Users with the "Allow only the users below" setting are not vulnerable to this attack. If you can't install the below updates you may want to set this via Tools->Privacy.

For the stable distribution (lenny), this problem has been fixed in version 2.4.3-4lenny3.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 2.5.9-1.

Re:Debian Lenny has already a fix! (0)

Anonymous Coward | more than 5 years ago | (#29126663)

Note: Users with the "Allow only the users below" setting are not vulnerable to this attack. If you can't install the below updates you may want to set this via Tools->Privacy.

That's not true. They are still vulnerable to attackers that have the victim in their contact list.

That's not a vulnerability... (1)

koolfy (1213316) | more than 5 years ago | (#29127127)

that's google talk's default privacy policy !

Behind the times much? (1)

CarpetShark (865376) | more than 5 years ago | (#29127147)

It's not the pidgin/purple/xmpp teams' fault(s), but this is astoundingly slow progress. That's one audio/video protocol out of many (msn, yahoo, etc. still need to be done from the sound of things). It's been years since the jingle reference library was opened up by google. In the meantime, google have moved on to Wave, twitter has happened, social networking has happened (granted, pidgin has a facebook IM extension), rapid download sites that compete with bittorrent have happened (and file transfers in pidgin are still flakey)...

It's great to see pidgin finally getting A/V, but they'll really have to push the pace a little if they want this to matter to more than a few luddites who stick with outdated tech when the rest of us have moved on.

It's been a long time in coming, and there have been many forked projects doing similar things before. Hopefully the fact that it's finally here in mainstream pidgin code means that someone found the proper architecture that they needed for approval, and all of the other A/V protocols can now be implemented quickly.

Re:Behind the times much? (1)

CRCulver (715279) | more than 5 years ago | (#29130247)

If the gaim crew hadn't been stuck in protracted negotiations over their name with AOL, progress would have happened much sooner. That year of stagnation as the team was told their project was infringing was a serious blow to development.

Re:Behind the times much? (1)

cbhacking (979169) | more than 5 years ago | (#29130539)

What really surprises me is lack of video over MSN, since Kopete (Konqueror's built-in IM client, which is in many ways comparable to Pidgin) has had MSN video chat for (about?) 2 years now, maybe longer. Both are open source, and while I'm not sure what Kopete's license is, surely they could share specifications even if they can't share code?

freeballer (1)

freeballer (1160851) | more than 5 years ago | (#29127713)

only for linux, so windows people are --t out of luck

Not Entirely XMPP Friendly (1)

Zerocool3001 (664976) | more than 5 years ago | (#29127861)

Its a bit misleading to say that Pidgin now implements video and voice for XMPP networks. They have implemented video and voice for the protocols that Google Talk uses which are unique to Google Talk. Other services (such as iChat) use different video and voice protocols on XMPP (possible on the Google Talk network). Since there is no unified protocol for video and voice on XMPP each service uses their own "proprietary" protocols piggy backed on an XMPP network. I guess us snobby iChat users will just continue to talk to each other.

Re:Not Entirely XMPP Friendly (2, Insightful)

Paaskonijn (1220996) | more than 5 years ago | (#29127953)

I guess us snobby iChat users will just continue to talk to each other.

As if you'd have it any other way. ;)

Re:Not Entirely XMPP Friendly (1)

igjeff (15314) | more than 5 years ago | (#29128387)

Uhm...to say that there is no unified protocol for video and voice on XMPP just doesn't match reality.

The jingle specs are fairly universal in the XMPP world. Google's, interestingly enough, is actually a bit out of date at this point, but they've promised to update to the jingle specs once the XSF has settled them, which has only really happened pretty recently.

Other clients that support some level of jingle A/V, where some of them may be audio only (and remember, there's basically no support needed at the server level for any of this) are Psi, Cocinella, Spark (in Windows), and now Pidgin. Talkonaut is a mobile (WinMo and Symbian) client that does jingle voice. More niche clients that have support are some of the IP PBX systems like Asterisk and FreeSwitch. There are others that are listed in places that have support for it, but I don't know the degree of that support, so I'm not going to list them...others can speak up if they know better on some of the others.

iChat is definitely the outlier in the XMPP world for not supporting jingle, or at least supporting something jingle-like (Google hasn't moved up to the standard as specified yes, as I said).

Oh, and just to knock down a bit of bias...I'm typing this on a Mac, so ostensibly, I'm one of those snobby iChat users as well, except that I don't use it.

Soo MS! (1)

SpaghettiPattern (609814) | more than 5 years ago | (#29129569)

Pidgin Adds Google Talk Voice and Video Support (and a Vulnerability)

Yeah, get there where MS is I say!

Thank you, Pigdin developers! (1)

DrZook (978704) | more than 5 years ago | (#29130181)

This is especially great news for those of us in places like the middle east, where greedy telephone monopolies block traditional VoIP traffic in order to hold on to their ancient business models. Google talk is increasingly becoming the de facto standard for international calls for the migrant population and the like.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?