Pidgin Adds Google Talk Voice and Video Support

ottothecow writes "While various attempts at video and voice support have been in the pipeline since long before GAIM became Pidgin, fully functioning support over XMPP is on its way. Lifehacker reports that Pidgin 2.6 adds voice and video support for GChat (and presumably any other XMPP network) for Mac and Linux. Windows still has a few bugs but they are being worked on. Pidgin 2.6.1 is only available as source at the moment (but precompiled versions are available at getdeb)." Less happily, an anonymous reader writes "A remote arbitrary-code-execution vulnerability has been found in Libpurple (used by Pidgin and Adium instant messaging clients, among others), which can be triggered by a remote attacker by sending a specially crafted MSNSLP packet with invalid data to the client through the MSN server. No victim interaction is required, and the attacker is not required to be in the victim's buddy list (under default configuration)."

Mac Binaries

[slummy]

Are not available yet.... :(

http://pdb.finkproject.org/pdb/package.php/pidgin

Re:Mac Binaries

Get a compiler, and make them.

Re:Mac Binaries

[nawcom]

Are not available yet.... :(

Bah, don't worry; Adium will quickly integrate support I'm sure. I don't know about you but I'd prefer Adium over the Pidgin design for ANY operating system any day. Unfortunately they use Mac only frameworks. Porting (and most likely using an easy OS independent toolkit like Qt) would be a great project for inactive coders. Dunno about you, but I find Skype's interface 20 times more attractive than Pidgin's. Skype uses Qt 4.

Re:Mac Binaries

[chipxsd]

don't expect it any time soon: http://trac.adium.im/wiki/VoiceAndVideo

Re:Mac Binaries

[am+2k]

Bah, don't worry; Adium will quickly integrate support I'm sure.

(I'm an Adium dev)

Actually, it doesn't look like that right now. We have a severe shortage of programming contributors, and the only ones that could do this (me included) don't have the time for it.

Re:Mac Binaries

[Ilgaz]

Getting Mac binaries via Fink is relatively easy. Send a polite mail to package maintainer describing the security issue and if you are experienced in Fink, just simply say "I tried to build (via my .info in local), it builds fine just by updating source URL" or "it doesn't build since it needs xxxx package updated".

I bet in hours, it will popup in "fink selfupdate"

BTW, Fink doesn't provide a lot of "apt-get deb" type binaries as OS X is an ever changing OS with things beyond their control (e.g. Apple adding new libxml in a simple system update). Of course, if you have a Desktop powerful machine, you can make it own binary distro server.

Re:Mac Binaries

[Ilgaz]

If he has Fink, he already has compiler, some .info file having all the necessary patches and fixes to possible linuxism but it is not the deal.

"compile your own" sounds more like "provide your .patch" which serves nothing to the purpose. We don't do such RTFM flames on OS X, at least yet.

The idea behind Fink and Macports is to provide end user access to the gigantic Unix/BSD layer of OS X otherwise left unused unless he is a Developer and having same class of citizenship among other *nix operating systems. The "end user" is the significant thing. They buy a Unix 03 compliant OS while buying OS X and they have full right to use all of its features without the needless ./configure and the chaos in /usr/local

Re:Mac Binaries

[Ilgaz]

You must be new to OS X open source&freeware development. After certain amount of downloads of open source applications, Apple gives you a special quantum encrypted key to next gen OS X (OS X 10.9) and its XCode codes the open source application itself, automatically! They also donate automatically to keep up with the code&hosting expenses.So, all left to OS X users is click "download now" and use it.

Check your Junk Mail, key must be there.

Re:Mac Binaries

[blueskies]

Let me guess? You're own of the pidgin asshats? I thought your project imploded after everyone realized what the developers really thought about their users.

Re:Mac Binaries

[outZider]

I doubt that has anything to do with GTK vs QT, people can make attractive or ugly UIs in any framework.

Re:Mac Binaries

[am+2k]

Here's the official blog post about the issue:

Pidgin introduces support for Audio and Video Chat in 2.6.0; what about Adium?

Re:Mac Binaries

[ottothecow]

I don't think that works when your product competes with one of apples products...then I think they block it from the app store (just wait until there is an osx app store)

Re:Mac Binaries

[thePowerOfGrayskull]

Get a compiler, and make them.

Alas, my friend. The Mac people have forgotten that they are Unix people. Or perhaps they have never known at all... Ah, the tragedy of it cuts me to the quick.

ouch

[pha7boy]

"No victim interaction is required, and the attacker is not required to be in the victim's buddy list (under default configuration).

ouch. that's a massive hole in security. I take it that would require re-write on the server side to prevent execution.

Re:ouch

[Brian+Gordon]

Server side? No.. it's a client issue.

Anyway as far as I'm concerned Pidgin abandoned its credibility a long time ago. I don't need an IM application anyway; if I need to contact someone I just open Gmail. If they're not online then email is right there.

Re:ouch

I can't wait until Google has access to all information about everything and everyone. That's going to be great! Right? Hello?

Re:ouch

[EvanED]

"Pidgin" is just a fancy word for the low-class broken English that most American blacks speak. Look it up if you don't believe me. So as far as I'm concerned, it never had any credibility in the first place.

What? Way to project your own biases. "Pidgin" languages are any sort of conglomeration languages that develop when you have two peoples that don't have a common language who have to communicate.

In fact, the "low-class broken English that most American blacks speak" (let's even ignore the glaring inaccuracy of that phrase) is really not a pidgin language at all.

Re:ouch

[TheLink]

But that's not a server side problem.

Think of pidgin as an exploitable email client. Just because the server by default passes messages from anyone (that's not blacklisted) to the client does not mean it's a server problem. And certainly does not mean the server should be rewritten.

I'm not surprised pidgin has security problems. I stopped using pidgin because it crashes or locks up for stupid reasons. Pidgin is written in C. With C (or C++), "crash bugs" often turn out to be "remote execution of arbitrary code of the attacker's choice" bugs.

Re:ouch

[Luke+has+no+name]

-1 for not backing up your statement on Pidgin's credibility.

And good for you that all your contacts reside on GMail, and that you prefer a GMail's web app to a desktop app that centralizes the many forms of communication on the Net. If that works for you, fine. It does not work for me. I want faster response time, a unified UI for all my communication, more flexible message notification, logging, etc. that keeps me in control of my settings and data locally.

cp -a /home/me/.purple/ /media/Backup/Pidgin/

I have friends on AIM, Facebook, GMail, and one or two with their own XMPP address. Fortunately, I do not need MSN to contact anyone I know.

Re:ouch

[kestasjk]

Well no, people who aren't buddies still need to be able to communicate, and you'd hope such communication would be checked extra thoroughly.

I'm on Windows and use Pidgin only because I hate Windows Live Messenger, the ads and tabs and needless features and static "Vista-esque" window borders make it feel like 90's RealPlayer's take on IM. When Pidgin was crashing all the time during the last major update I gave Windows Live Messenger another honest go, but couldn't bear it.

I even tried to get Pidgin compiling in Eclipse to lend my eyeballs and shallow out a few bugs, but it's very unix-oriented unfortunately and I also found the code very difficult to navigate. I think that's because I use it for MSN and it's supposed to be multi-client, but even so the module interfaces were far from self-explanatory.
More than anything I feel like C just isn't an appropriate language for something that'd have such an impact if a hole is found, why not Java, or Mono?

Can you imagine the chaos if a similar bug was found in Windows Live Messenger? Even if it was "only" limited to people on your friends list it'd be the biggest worm since Blaster. Maybe I'll try again now, since at the moment I have to have Pidgin offline, but I really wish there was an FOSS MSN client for Windows that gets the basics right and is secure (and not just because no-one has heard of it).

Of course this is a crappy thing to get at a celebratory new release time, and if Pidgin devs are reading I do appreciate the work a lot, but more than any network enabled app that I have running 24/7 Pidgin is by far the most concerning.

tl;dr: Pidgin need to sort their shit out regarding security, but thanks for keeping the updates coming

Re:ouch

"Pidgin" is just a fancy word for the low-class broken English that most American blacks speak. Look it up if you don't believe me. So as far as I'm concerned, it never had any credibility in the first place.

What? Way to project your own biases. "Pidgin" languages are any sort of conglomeration languages that develop when you have two peoples that don't have a common language who have to communicate.

In fact, the "low-class broken English that most American blacks speak" (let's even ignore the glaring inaccuracy of that phrase) is really not a pidgin language at all.

actually, what you are referring to is a creole - a mix of two languages. a pidgin is a subset of a language spoken by non-native speakers. pidgins become creoles when the non-native speakers add their own words and pass it on to their children as a de-facto native language for them.

Re:ouch

[i.of.the.storm]

Err, the bug was already fixed and no vulnerable builds were even built for Windows. And incidentally, it'd be easier to just use the WinPidgin build environment fetcher script and cygwin or msys (I prefer msys) than try to compile it with eclipse, although once you have the environment set up eclipse should be able to use it as a Makefile project.

Re:ouch

[RichardJenkins]

No, you're thinking (I kid! I kid!) of the word "patois". Pidgin is quite a good name for an IM client that can be used for many different, incompatible protocols.

Re:ouch

[93+Escort+Wagon]

I don't need an IM application anyway; if I need to contact someone I just open Gmail.

If I need to contact someone, I just yell really loud.

Re:ouch

[TheRaven64]

Not surprising. As someone who has written an XMPP library that has to be compatible with the pile of crap now known as libpurple, it's clear that the authors read 'MUST NOT' in a specification as 'is probably a good idea'. I wouldn't trust code written by them anywhere near a machine that contained any important information.

Re:ouch

[shutdown+-p+now]

If you're on Windows, why do you even bother with Pidgin? There are numerous better native solutions; for a multi-network client (yes, it includes MSN/Live), I prefer Miranda IM as a very lightweight and stable client.

Re:ouch

a pidgin is a mixture of languages with no grammar. i beleive it becomes a 'creole' when grammar developes.

Re:ouch

"Pidgin" is just a fancy word for the low-class broken English that most American blacks speak. Look it up if you don't believe me. So as far as I'm concerned, it never had any credibility in the first place.

So, I didn't believe you. And I looked it up. And you're wrong.
http://en.wikipedia.org/wiki/Pidgin
I think you meant Ebonics.

Re:ouch

[skaet]

Love it when posters don't read the summary. The vulnerability was found in libpurple. Not the MSN service.

Re:ouch

[tecnico.hitos]

Don't worry.

Google is watching you.

Re:ouch

[icannotthinkofaname]

Are you serious? Why would you waste your energy like that? When I need to contact someone, I summon my minions and have them deliver the desired person for a conversation.

Re:ouch

Thanks, Vin Diesel.

The rest of us have to use whistles.

Re:ouch

[Anonymous+Psychopath]

I've only ever heard pidgin in reference to something the locals in Hawaii speak, but never in reference to mainland black dialects. I think we're still calling that ebonics or some such made-up word?

Re:ouch

I think we're still calling that ebonics or some such made-up word?
As opposed to every other word out there that was found in nature?

Re:ouch

It's like carbon credits.

It is for people who support FSF and feel guilty for running a closed source OS. Instead of actually installing Linux, they offset their use of closed source by installing an open source application. It helps to reduce the guilt and increase "street credentials" among their fellow dwellers of cubicles.

As an example I have Windows XP running Photoshop. In order to offset I looked up the FSF Source-Credits Guide Lines and Regulations Handbook (FSCGLRH) and found out:

Windows XP +10 Source Credits
Photoshop = +5 Source Credits

Offsets I selected:
Pidgin = -4 Source Credits
OpenOffice = -5 Source Credits
Gimp* = -3 Source Credits
Amaya** = -3 Source Credits

*I do not use Gimp, however by installing it, I offset my credits by 3. Thereby reducing my guilt by d6 with a +1 modifier.
** I commonly use FireFox, however, it provides only 0 credits, Amaya on the other hand offsets my credits by 3.

I am happy to say that I am Source Credit Neutral as defined by FSCGLRH. I am even thinking about installing X-Chat 2 in order to sell my credits to offset other people.

Re:ouch

[CRCulver]

The term "Ebonics" is a sensationalist media creation. In linguistics, the term is African-American Vernacular English, usually abbreviated AAVE.

Re:ouch

[shutdown+-p+now]

But Miranda IM is an Open Source client - it's GPL, and it doesn't get any more kosher than that.

Or is it ritually impure because it is coded as a native Win32 application?

Re:ouch

[V!NCENT]

Don't you think that a pidgin is just a bird that people used to send mail to each other when there was no post office, like they did in medieval times, you fucking retard?!

Re:ouch

[CRCulver]

That would be a pigeon, not a pidgin.

Re:ouch

[V!NCENT]

Pidgin could be a pidgin word for pigeon as the logo of the IM client suggests. So I stand for 30% corrected.

Re:ouch

[CRCulver]

"Pidgin" is actually a Pidgin word for "business".

Re:ouch

[Ilgaz]

Ritually impure I think. No kidding, if it linked to GTK2 , it would have better credibility as "open source". Weird but true.

Also Miranda has tendency to stay simple, light and use whatever feature Windows frameworks provide to it. I remember it was one of the first (if not first) IM to use Win2k transparency feature among Windows clients. It had it because it made sense for an "always on top" thing to be transparent, not for show off purposes. Anyway, if you go to the author and suggest a "super cool" feature which will add bulk to client but will benefit 1%, it will likely be ignored. Such open source gets limited support.

Re:ouch

[Ilgaz]

Pidgin is way more than "AOL client works under X11" now. It has became some kind of IM kernel&low level framework for instant messengers. So, you are in extremely funny area if you call it crap, you don't care about it and use state of art UI Adium instead.

Mobile instant messengers, web services rely on Pidgin too.

I use Pidgin compiled via Fink instead of Adium for a simple reason. I use Mac Mini on a 720P HDTV and X11 is the only thing which reliably allows huge fonts I need. Lets not forget the absolutely low level (1%) CPU usage too.

Re:ouch

[DaVince21]

But what guilt, exactly? I didn't realize using (most) products made by companies induced guilt...

Re:ouch

[Ilgaz]

Using completely open and documented XMPP as the protocol for GTalk was one of the good things Google did. Nothing you say or they do in other areas can change it.

Re:ouch

But does yours repeat every message twice like your "blog"? Frankly why would I trust any of your code after seeing that? Or what you have to say about code for that matter?

Re:ouch

[blueskies]

Pidgin's credibility was thrown away when they decided their users didn't matter. Look it up. You'll find an epic bug report of the developers being asshats.

Re:ouch

[ottothecow]

I'm pretty sure gaim/pidgin have been big google summer of code projects in the past few years...that may even be what led to this release

You had better believe google is watching

Re:ouch

Maybe because where I work we have a local jabber server running our IM communications, and pidgin has become a standard here since it's the one that has continued to work through continued upgrades of the package on the server, while other jabber programs have broken after we update the server. Also, pidgin works with pretty much every other protocol you might want to use...and may I mention that the encryption plugin can be VERY useful when you need to quickly and "securely" get sensitive information to someone in a pinch. (yeah, it does happen)

Yeah, I hear you. gtk isn't beautiful on windows, but pidgin seems to always get the job done. If you really care about a/v, then yeah...pidgin doesn't work...but lets not pretend that there are no reasonable, valid uses for pidgin on windows...there are many.

Re:ouch

[V!NCENT]

Which has nothing to do with an IM at all but nice try...

How about some autoupdate?

[QuantumG]

on windows... if you've got security vulnerabilities, you should be pushing updates.

Oh, and about a month ago MSN connectivity died anyway, so I switched to using the HTTP connecting method. From looking at the code, it seems this isn't affected by this issue.

Re:How about some autoupdate?

I'm not sure what platform you're on but that issue was related to the new version of nss turning off insecure hash algorithms, some of which are still used in MSN's cert. It just takes setting an environment variable to enable the hashes again.

As far as updates, the client can be set to notify you of new updates, but since only windows would need auto update no one's ever gone about writing the code to do it.

Re:How about some autoupdate?

[i.of.the.storm]

Well, if you enable the Release Notifications plugin it will tell you about updates. I did once post to the mailing list about adding an auto-update feature, but since Pidgin is multiplatform and a built-in autoupdate doesn't make sense on Linux with package managers, the idea was rejected. But really, the Release Notifications plugin is more or less good enough.

Re:How about some autoupdate?

[RiotingPacifist]

Right if your running a vulnerable app, you should let it update itself, sigh!

Re:How about some autoupdate?

[Runaway1956]

"you should be pushing updates"

That is NOT the open source way. I think that all open source advocates will agree (no matter which version of open source they advocate) that the strength of open source is CHOICE.

No code is perfect. Windows users know as well as anyone that aggressively pushing updates can break applications, and even the OS. Remember XP SP2 and SP3? The SP2 issues never affected me, but one of my XP machines totally barfed when SP3 was installed.

There is nothing to guarantee that pushing an update for Pidgin onto your machine, without even asking you first, won't make YOUR machine barf. Much better to allow you to find the update, download it, MAKE A BACKUP, then install it yourself. OK, so your machine didn't barf, but some little obscure feature that you just LOVE has stopped working. Do a restore, and you've got your feature back, no problem.

See? Choice, and control over your own machine. Don't ask an open source operation to push updates.

Re:How about some autoupdate?

That reason makes no sense at all. Look at firefox as an example. Firefox that comes with my version of Ubuntu disables the update feature because it gets handled by the package manager. However, I run Firefox 3.5, which I downloaded from Mozilla's site and that lets me update when it is available. There is no reason at all why pidgin couldn't write a OS agnostic (It's network code for God sakes) for an update and set an option in compilation that lets distributions disable it. All in all, a very piss poor excuse.

Re:How about some autoupdate?

[javabsp]

Well, consider that we have no full time developers and makes about $3000 a year from GSoC... comparing to firefox would be a bit unfair, no?

Re:How about some autoupdate?

[Korin43]

Or you could just use an operating system that does updates. Ubuntu apparently patched every version of pidgin that's available (even though for some reason they won't just update 2.5.9). Check out the notes.

Re:How about some autoupdate?

[i.of.the.storm]

on Linux with package manager

You were saying? It's not anything special about Ubuntu, most Linux distros have a package manager. But Ubuntu specifically seems to have a policy of not updating Pidgin except for security issues during releases. I'm surprised you haven't seen this: http://pidgin.im/download/ubuntu/

ummmm?

[CRiMSON]

2.6.1 is only available as source at the moment?

http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.1.exe

So that's magic? If you install that do the terrorists win?

Re:ummmm?

[Desler]

It's even funnier because after it says that it's only available as source there is a link provided to compiled binaries. So which is it?

Re:ummmm?

No magic there... check the About Dialog.

  Voice and Video: Disabled

Holy contradictory stories, Batman!

[Rogerborg]

5. Non-vulnerable packages * Libpurple >= 2.5.9 (Pidgin >= 2.5.9)

But... but... which version of Pidgin has just been released? So hard to remember... must... concentrate, dammit!

Re:Holy contradictory stories, Batman!

How is this contradictory? 2.6.1 was just released, adding new features. In unrelated news, anything older than 2.5.9 is vulnerable to a particular exploit.

Re:Holy contradictory stories, Batman!

I think they released 2.5.9, 2.6.0 and 2.6.1 on the same day. They are really trying hard to look amateurish.

Re:Holy contradictory stories, Batman!

[CannonballHead]

Hardly unrelated. So related, in fact, that it would have been nice if the summary made mention of the fact that it only affects

It'd be like me saying "New Linux Kernel released! Also, Linux has a security hole that allows arbitrary code execution!" And then, in small print, "Oh, by the way, it only affects

Re:Holy contradictory stories, Batman!

[i.of.the.storm]

So 2.5.9 is a stability release for distros/maintainers who don't want to upgrade to 2.6.0 for whatever reason. 2.6.0 was released at the same time as 2.5.9 but a bug was immediately found so then they released 2.6.1.

Re:Holy contradictory stories, Batman!

[petermgreen]

I would agree with you if it wasn't for the fact that 2.5.9, 2.6.0 and 2.6.1 were released on the same day.

So unless you were very agressive with your updating you would most likely still be running an affected version.

Re:Holy contradictory stories, Batman!

[i.of.the.storm]

Nonono, you don't get it. 2.5.9 contains the bug fix for people/distros who don't want to move to a new major release. 2.6.0 was released, but it had a separate bug, so 2.6.1 was released later that day to fix that bug. Either way, most people should be safe, since 2.6.0 hardly had a chance to be recommended.

Re:Holy contradictory stories, Batman!

[i.of.the.storm]

No, they're trying to be professional and principled about things. Pidgin is one of the few projects that has standards about versioning, unlike eg. Firefox which goes more along the lines of whatever they feel like bumping the version by. More seriously, Firefox has a longer development cycle between major releases but in general they seem to just bump their version roughly proportionally to the amount of time a release was in development. In Pidgin land, major.minor.x releases are just security/bugfix releases, major.minor releases add features, and major releases break API, or something along those lines. 2.5.9 is a separate line from 2.6, and it's just to patch the vulnerability for those that won't move to the 2.6 line right away.

Re:Holy contradictory stories, Batman!

[petermgreen]

Nonono, you don't get it. 2.5.9 contains the bug fix for people/distros who don't want to move to a new major release.
Do you have anything to back up that claim or is it just a guess?

Re:Holy contradictory stories, Batman!

[i.of.the.storm]

Yes? It helps to read the Pidgin mailing list. It's generally a good idea to know what you're talking about when talking about security issues, which is something both you and the slashdot story editor failed to do.

Where is the source package?

[GPLHost-Thomas]

Ok, it's available from "getdeb". But where do I get it for plain Debian Stable (Lenny), or where do I get the .diff.gz and .dsc files to compile them myself?

Re:Where is the source package?

[Raptor851]

same place it's always been http://sourceforge.net/projects/pidgin/

Re:Where is the source package?

[petermgreen]

There are debianised source packages for 2.6.1 on getdeb (you have to follow the link for a particular distro release and then there is a source link there), dunno how well made they are.

2.5.9 is availible in debian sid and at least up until now i've found sid's pidgin packages compile fine on lenny.

Re:Where is the source package?

[GPLHost-Thomas]

Got it: dget http://archive.getdeb.net/getdeb/ubuntu/jaunty/pi/pidgin_2.6.1-1~getdeb1.dsc Cheers!

Re:Where is the source package?

[petermgreen]

Here is a recipie to build a set of 2.6.1 packages for debian lenny based on the packaging ari has done for sid (but not uploaded yet hence the download from svn.debian.org).

wget http://sourceforge.net/projects/pidgin/files/Pidgin/pidgin-2.6.1.tar.bz2
bunzip2 pidgin-2.6.1.tar.bz2
tar -xf pidgin-2.6.1.tar
gzip pidgin-2.6.1.tar
mv pidgin-2.6.1.tar.gz pidgin_2.6.1.orig.tar.gz
cd pidgin-2.6.1
svn export -r 14052 svn://svn.debian.org/svn/collab-maint/deb-maint/pidgin/trunk/debian
sed -i s/tcl8.6-dev/tcl8.5-dev/ debian/control
sed -i s/tk8.6-dev/tk8.5-dev/ debian/control
sed -i 's/libgstfarsight0.10-dev (>= 0.0.9),//' debian/control
sed -i 's/(>= 0.4.53)//' debian/control
sed -i 's/(>= 1.1.1)//' debian/control
sed -i 's/--enable-vv/--disable-vv/' debian/rules
dpkg-buildpackage

if it complains about missing build-depends install them and run dpkg-buildpackage again

note: I had to disable video/voice because libgstfarsight is not available in lenny.

Voice and video programs

Is there a good, reliable program that's available for Windows and Mac OS X for voice and video communication?

And no, I'm not going to install anything from Microsoft.

Re:Voice and video programs

[Darkness404]

Skype?

Pidgin is actually pretty good in the amount of things it supports, I have some friends on AIM, MSN, and others on various others. It helps centralize things.

Re:Voice and video programs

[CarpetShark]

Trillian is probably your best bet. I've never tried the A/V support, but it's been there for quite a while. Also look into Gizmo.

Re:Voice and video programs

[cparker15]

Is there a good, reliable program that's available for Windows and Mac OS X for voice and video communication?

And no, I'm not going to install anything from Microsoft.

You do know who develops Windows, don't you?

The vulnerability wasn't ADDED it was FIXED!

The vulnerability was fixed in 2.5.9 which was released just before the major update 2.6

So the msn server has to attack you?

[phantomcircuit]

A vulnerability that is ridiculously unlikely to ever be seen in the wild? Oh no!

Re:So the msn server has to attack you?

Please read the advisory again. That's not the scenario.

Incorrect news: vulnerability is fixed

It looks like this reported vulnerability was fixed in 2.5.9 already:

http://developer.pidgin.im/wiki/ChangeLog#version2.5.908182009

Another thing to note is that the link in the post also states this:

4. Vulnerable packages

        * Gaim >= 0.79
        * Libpurple = 2.5.8 (Pidgin = 2.5.8 and Adium = 1.3.5)
        * Other Libpurple frontends such as Finch might be vulnerable as well.

However, the latest version of Pidgin that adds the voice and video support is 2.6.1. I would say that this makes 2.6.1 much safer and feature rich than the versions we are currently running.

So I don't know a damn thing about this. . .

[MagusSlurpy]

. . . but if it's going through the MSN server, doesn't that imply that one would have to be running an MSN login?

Does anyone actually use that anymore?

Re:So I don't know a damn thing about this. . .

[Darkness404]

Yes, there are a lot of people still on MSN, and AIM, especially if they aren't that great with computers. A lot of them have Facebook, but Facebook chat is quite buggy and seems to fail on low-bandwith connections (and recently has forced me to spoof my user agents in order to use Facebook chat with alphas of Firefox....).

Re:So I don't know a damn thing about this. . .

[petermgreen]

Sadly most non-technical users here in the UK do and most of them are very difficult to persude to either use a multiprotocol client or switch entirely.

Re:So I don't know a damn thing about this. . .

[geckipede]

Yes, because you can't just decide to use something different one day. Convincing all your friends to switch to something else isn't worth the effort.

Re:So I don't know a damn thing about this. . .

[sqrt(2)]

It's highly regional. Japan I'm told is mostly Live Messenger (MSN). I actually like the MSN protocol more than AIM or anything else. The client too is very nice once you patch it to remove the ads and some other things. Unfortunately all of my friends still use AIM and there is nothing I can do to get them to switch. Some started using Skype for VOIP but they usually only turn it on when they want to make a call, preferring to use AIM the rest of the time.

Re:So I don't know a damn thing about this. . .

[Abreu]

Since the local telecom monopoly here, Telmex, has an agreement with Microsoft, most internet users in Mexico use MSN for IM and Hotmail for email...

Sad, but true... so I unavoidably have to have a MSN client if I want to IM with people here

Re:So I don't know a damn thing about this. . .

Sad, but true... so I unavoidably have to have a MSN client if I want to IM with people here

Not really, this is exactly why XMPP (aka Jabber) was invented. Create an XMPP account on a server that allows transports, create an MSN account, add an MSN transport to your XMPP contact list. Now you can chat to people who use MSN as well as XMPP, using just your XMPP account. There are transports for AIM and other protocols as well.

I've been pushing XMPP a little among my friends. Unfortunately most of them are still on MSN but I'm starting to gain a few XMPP contacts.

To GP: MSN is unfortunately still very big in Europe as well. On the plus side, MSN integrates very nicely with XBox Live.

Re:So I don't know a damn thing about this. . .

[DaVince21]

Well, to be honest, AIM is the better communication protocol, where connecting is faster, less connection errors appear and one has more control over the formatting of his text (text effects etc.) without needing any extensions. I do understand perfectly why they wouldn't want to switch, also because this can be related to preference (and as you said, region).

2.5.9 and 2.6.1 are different releases

[Laven]

2.5.9 and 2.6.0 were both released Tuesday, August 18th addressing this security issue (CVE-2009-2694). 2.5.9 is 2.5.8 with only CVE-2009-2694 addressed and an unrelated crash bug fix. 2.6.0 contains CVE-2009-2694 in addition to many other bug fixes and the new Voice and Video support.

Unfortunately, another security issue was discovered with sending URL's over the Yahoo protocol and 2.6.1 was released on Wednesday, August 19th. According to the pidgin developers, 2.5.9 was not affected by separate bug.

Note: The Voice and Video support in pidgin-2.6.1 is a bit fragile. You MUST have the latest version of farsight2 and the stack of libraries it requires. You may also need to open ports on your firewall to allow it to connect.

Re:2.5.9 and 2.6.1 are different releases

[i.of.the.storm]

Yes, this is what I've been trying to say all over this thread. The slashdot summary is horribly incorrect.

Re:2.5.9 and 2.6.1 are different releases

[Tenebrarum]

Note: The Voice and Video support in pidgin-2.6.1 is a bit fragile. You MUST have the latest version of farsight2 and the stack of libraries it requires. You may also need to open ports on your firewall to allow it to connect.

To say the ruddy least. I've been trying to connect to friends' GTalk clients and it just doesn't work (although a couple of times I've managed to hear them).

Re:2.5.9 and 2.6.1 are different releases

[Ilgaz]

How come Google engineers doesn't give a hand to Pidgin developers on that GTalk issue? It has been months now, all they need is a SVN client or something.

Isn't it the main purpose of using an open source framework like XMPP and enhancing on top of it instead of stupidly (hear me MS,AOL) trying to maintain your own closed network?

One side of Google does a genius move as using XMPP for GTalk and other side doesn't take advantage of it on such a critical issue and leaves implementation to developers who are already terribly busy keeping up 3rd party junk compatibility and security issues. This doesn't make sense. Did you see the things they have to do just to stay online on MSN network? At one point, they had to send random junk to server since that was what MSN actually did with their own official IM client.

About time

[SilverHatHacker]

Pidgin got voice and video support? Add that to the list.
Too bad Ubuntu is switching to Empathy. Sure, just apt-get pidgin back if you want it, but Telepathy is a much better way to do IM'ing anyway.
I'm glad to see that Pidgin isn't as dead as we thought, but it's era is ending.

Change headline please. It's misleading.

[BikeHelmet]

Pidgin Adds Google Talk Voice and Video Support and patches a Vulnerability

Easy fix for MSN vulnerability

Go to Tools> Privacy> [MSN Acccount> "Allow only the users on my buddy list"

Nowadays, not doing so is like turning off caller ID on your mobile.

Re:Easy fix for MSN vulnerability

[NevarMore]

Easier fix. Don't use MSN.

Re:Easy fix for MSN vulnerability

[Jugalator]

That's one of those things that is very easy to fix for yourself, but not all your friends.

Oh wait, maybe I used an unknown word on Slashdot now. ;-)

Debian Lenny has already a fix!

[GPLHost-Thomas]

Federico Muttis discovered that libpurple, the shared library that adds support for various instant messaging networks to the pidgin IM client, is vulnerable to a heap-based buffer overflow. This issue exists because of an incomplete fix for CVE-2008-2927 and CVE-2009-1376. An attacker can exploit this by sending two consecutive SLP packets to a victim via MSN.

The first packet is used to create an SLP message object with an offset of zero, the second packet then contains a crafted offset which hits the vulnerable code originally fixed in CVE-2008-2927 and CVE-2009-1376 and allows an attacker to execute arbitrary code.

Note: Users with the "Allow only the users below" setting are not vulnerable to this attack. If you can't install the below updates you may want to set this via Tools->Privacy.

For the stable distribution (lenny), this problem has been fixed in version 2.4.3-4lenny3.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed in version 2.5.9-1.

Re:Debian Lenny has already a fix!

Note: Users with the "Allow only the users below" setting are not vulnerable to this attack. If you can't install the below updates you may want to set this via Tools->Privacy.

That's not true. They are still vulnerable to attackers that have the victim in their contact list.

That's not a vulnerability...

[koolfy]

that's google talk's default privacy policy !

Behind the times much?

[CarpetShark]

It's not the pidgin/purple/xmpp teams' fault(s), but this is astoundingly slow progress. That's one audio/video protocol out of many (msn, yahoo, etc. still need to be done from the sound of things). It's been years since the jingle reference library was opened up by google. In the meantime, google have moved on to Wave, twitter has happened, social networking has happened (granted, pidgin has a facebook IM extension), rapid download sites that compete with bittorrent have happened (and file transfers in pidgin are still flakey)...

It's great to see pidgin finally getting A/V, but they'll really have to push the pace a little if they want this to matter to more than a few luddites who stick with outdated tech when the rest of us have moved on.

It's been a long time in coming, and there have been many forked projects doing similar things before. Hopefully the fact that it's finally here in mainstream pidgin code means that someone found the proper architecture that they needed for approval, and all of the other A/V protocols can now be implemented quickly.

Re:Behind the times much?

[CRCulver]

If the gaim crew hadn't been stuck in protracted negotiations over their name with AOL, progress would have happened much sooner. That year of stagnation as the team was told their project was infringing was a serious blow to development.

Re:Behind the times much?

[cbhacking]

What really surprises me is lack of video over MSN, since Kopete (Konqueror's built-in IM client, which is in many ways comparable to Pidgin) has had MSN video chat for (about?) 2 years now, maybe longer. Both are open source, and while I'm not sure what Kopete's license is, surely they could share specifications even if they can't share code?

Re:Behind the times much?

[DaVince21]

Well, to be perfectly honest, they DID change and rewrite a large part of the IM library at some point (libpurple). So even though not a lot has been going on for the user, the developers have been working hard to get everything to work right in the newer library first. At least, that's my guess... It seems a lot of recent releases before this one were all targeted toward bug/crash fixing.

Re:Behind the times much?

[LiquidFire_HK]

You mean KDE's client. Konqueror is a browser and does not include an IM client :)

FWIW, Kopete is GPL, like Pidgin. Qt used to be GPL (until 4.5 when it was also released as LGPL) so you'll find all KDE software is GPL as well.

freeballer

[freeballer]

only for linux, so windows people are --t out of luck

Not Entirely XMPP Friendly

[Zerocool3001]

Its a bit misleading to say that Pidgin now implements video and voice for XMPP networks. They have implemented video and voice for the protocols that Google Talk uses which are unique to Google Talk. Other services (such as iChat) use different video and voice protocols on XMPP (possible on the Google Talk network). Since there is no unified protocol for video and voice on XMPP each service uses their own "proprietary" protocols piggy backed on an XMPP network. I guess us snobby iChat users will just continue to talk to each other.

Re:Not Entirely XMPP Friendly

[Paaskonijn]

I guess us snobby iChat users will just continue to talk to each other.

As if you'd have it any other way. ;)

Re:Not Entirely XMPP Friendly

[igjeff]

Uhm...to say that there is no unified protocol for video and voice on XMPP just doesn't match reality.

The jingle specs are fairly universal in the XMPP world. Google's, interestingly enough, is actually a bit out of date at this point, but they've promised to update to the jingle specs once the XSF has settled them, which has only really happened pretty recently.

Other clients that support some level of jingle A/V, where some of them may be audio only (and remember, there's basically no support needed at the server level for any of this) are Psi, Cocinella, Spark (in Windows), and now Pidgin. Talkonaut is a mobile (WinMo and Symbian) client that does jingle voice. More niche clients that have support are some of the IP PBX systems like Asterisk and FreeSwitch. There are others that are listed in places that have support for it, but I don't know the degree of that support, so I'm not going to list them...others can speak up if they know better on some of the others.

iChat is definitely the outlier in the XMPP world for not supporting jingle, or at least supporting something jingle-like (Google hasn't moved up to the standard as specified yes, as I said).

Oh, and just to knock down a bit of bias...I'm typing this on a Mac, so ostensibly, I'm one of those snobby iChat users as well, except that I don't use it.

Re:Not Entirely XMPP Friendly

[uhoreg]

Telepathy/Empathy also supports Jingle. Coccinella (two "c"s) supports Jingle, but uses IAX as the transport, so you won't be able to chat with most other people.

By the way, the base Jingle spec is XEP-0166, and was just recently advanced to "Draft" status.

Soo MS!

[SpaghettiPattern]

Pidgin Adds Google Talk Voice and Video Support (and a Vulnerability)

Yeah, get there where MS is I say!

Made-up words

Ah yes, "made-up words." Totally inferior to those words that humanity was blessed with when they were handed down by the angels.

Just say no!

[higuita]

Its simple... when asked for your IM address, say you use gtalk/gmail/jabber/xmpp and that you dont have MSM (you cant, you dont like, you dont agree with the MS policy, etc), then ask back if they have gmail or any other xmpp based service.If they complain that dont want to have 2 IM open, say they can install multiprotocol clients.

in the start, you will be joked, later you will see some people starting to use other IM networks and when reach the critical mass, you will see that people start using both network, and even later msn will slowly lose people because of the virus/spam/etc

yes, in the start you will not be able to talk with many people, but that is required to force others to open up, if sooner or later they want to talk with you, they will have to open one account and after that is easier...

the change start with you

Thank you, Pigdin developers!

[DrZook]

This is especially great news for those of us in places like the middle east, where greedy telephone monopolies block traditional VoIP traffic in order to hold on to their ancient business models. Google talk is increasingly becoming the de facto standard for international calls for the migrant population and the like.

Blaming the wrong ones

[Ilgaz]

First of all, to that security company. Good job really publicizing a vulnerability without checking with unpaid developers of a complete open source project. Also whatever junk you use to create the pages pages doesn't work with Opera 10 and I am too tired to fire up another browser.

Second: Where are you "web 2.0" cool privacy killing instant messenger sites built on Pidgin libraries, where is your patch to the security vulnerability? Can't you spare some of the entrepreneur provided millions to hire some actual developers and fix the issues with the core you rely on?

Third: How hard to assign couple of MSN, AOL, Yahoo developers to Pidgin project by respective companies and let them maintain their own mess which they call a "protocol"? It is not like 100s of millions of Win32 users will use a GTK2 client on their Windows while you already push your own with OS install right? I talk about 3 guys at most, who will at least oversee the protocol development.

All we "open standards" loving nerds are running bunch of closed source, proprietary, low quality, badly engineered IM protocols and at end, people who are unpaid, overworked struggling to keep up with the junk above gets the blame... It is a huge shame really.

Re:Blaming the wrong ones

[javabsp]

First of all, to that security company. Good job really publicizing a vulnerability without checking with unpaid developers of a complete open source project.

Actually, they notified us about it a couple weeks ago, and gave us enough time to fix it before announcing the vulnerability.

w00t

[ottothecow]

hey look my first accepted story

precompiled at getdeb have no audio/video capabil

[evuraan]

except those precompiled debs at gedeb dont give you av/vv capabilities yet. http://webupd8.blogspot.com/2009/08/pidgin-260-adds-voice-and-video.html#comment-15056475