Adium

Archive for the ‘security’ Category

Adium 1.5.10.3b1

Saturday, March 25th, 2017

In a new record for the longest version number, we have released Adium 1.5.10.3b1, available from here. This release includes libpurple 2.12.0 to fix CVE-2017-2640, a heap buffer overflow when removing HTML markup. We have determined that this vulnerability is only exposed by the GaduGadu protocol, as this is the only protocol where the relevant function is used with untrusted input. The impact appears to be limited to a denial of service (causing Adium to crash) by writing to an invalid memory location. Users only using other protocols are unaffected. Users not yet ready to update are advised to disable their GaduGadu accounts until 1.5.10.3 is released.

In this release we have also had to remove support for a number of protocols which were known to not work anymore: MSN, Yahoo, Facebook Chat and MySpace. If you had one of these accounts they will disappear from Adium, but any chat logs you had will remain available. While some third-party Pidgin plugins exist for the new generation of some of these protocols, we currently have no plans of including those in Adium.

This release is currently not available as an auto-update, as our latest beta release is 1.5.11b3, which will not update to a lower version number. Anyone willing to try it can download it from the link above. Please report any issues you find on our bug tracker, as we hope to release 1.5.10.3 soon.

 

Adium, application security, and your keychain

Wednesday, April 16th, 2008

As of Adium 1.2.4, the Adium binary is signed. This means that our cryptographic signature is embedded in official releases of the application, and that any changes to that bundle will invalidate the signature and thereby alert your system (assuming it is running Mac OS X 10.5 or later) that the integrity of the program is compromised. One of the most obvious advantages of this besides basic security is that you should no longer be prompted to allow new versions to access your keychain items; the security layer can tell with confidence that Adium 1.2.5 is signed by the same folks who signed Adium 1.2.4 and that it should be allowed without question.

If you mess with the Adium binary in any way, you will invalidate the signature, and access to secure resources — specifically keychain items where your passwords are stored — will be disallowed by Mac OS X. Don’t do that.

A prime example (seen in our IRC support channel recently) are the programs such as Monolingual designed to “slim down” Universal Binary (a.k.a. “fat binary”) programs which have both PPC and Intel code. Removing part of the code invalidates the signature. This leads to warning messages.

Apple is encouraging all developers to sign their applications; this won’t be a (non-)problem restricted to Adium. Since only copies of Adium built by the Adium team in our super-secret underground lab are signed, you can of course make your own build and change it however you want — this includes removing one architecture or the other.

While you’re at it, get involved in development! 🙂