Chatty and libpurple - a security risk?

I really like the concepts the Purism team have proposed (such as symbiotic applications) and an emphasis on reducing redundancy, but something with the Chatty app concerns me. The idea of having plugins for multiple IM services is good, but the fact the underlying app is built on libpurple is concerning given past security issues with libpurple.

Granted some fault lies on the fact that client applications (Pidign, Adium) were slow to update to patched versions of libpurple but it would appear libpurple wasn’t built with security hardening in mind, at least in the early days.

How does the Purism team plan to mitigate this?

One of your linked articles does not mention libpurple.
The other says, ONE vulnerability was discovered during an AUDIT. And the last vulnerability was found two years ago.

If that is all, then I’m not exactly sure, why you think it might pose a security risk.
There’s no such thing as bug free software. Writing a replacement would basically be less trustworthy, unless it gets an audit and has no vulnerabilities discovered in two years. Which means, for the next three years, libpurple seems like a good choice :wink:


facepalm That’s what I get for researching when I’m sleepy.

I’m sure I could dig up more relevent articles given time.

Agreed. I’m more inclined to believe the security of well audited codebases vs security by obscurity.

Upon more research it doesn’t seem to be as bad as I believed in terms of the amount of publicly disclosed vulnerabilities so I apologize for wasting anyone’s time. I remember historically (>5 years ago) there were some concerning vulnerabilities in libpurple but I wouldn’t be surprised if at lest one of them was caused by an implementation flaw in the client implementing it.


hi there! :slight_smile:

now im playing the bad guy here, who was too lazy to make his own research while knowing its not that hard of a task… X’D (only in case if u already know the answer, i dont wanna make u much busy with my own interest!)

so is this libpurple stuff means that the call and sms features of the librem5 can be reached from a relatively simple c lib that can be binded in whatever other apps than the default ones? :smiley: i have farer future interests in that…

THX!!! all the bests for u! :slight_smile:

At least I wasn’t all “OMG LIBPURPLE IS THE WORST THING EVER AND SHOULD BE BANNED FROM EVERYTHING” :stuck_out_tongue:. Just an inquiry really.

If we’re talking about the same thing I think it could lead to some interesting use cases down the line.

Back to the original topic I do remember there have been vulnerabilities in the past in some obscure protocol transports of libpurple, and if we take a look at the security advisories for Pidgin, we can see several from 3 years ago in the protocol transport for “Mxit” a South African IM service I’ve only vaguely heard of and it doesn’t exist anymore. Seeing how Chatty seems like it’s going to be only interfacing with XMPP and local SMS at launch that leaves less an of attack surface. A wise security consultant once told me “The less code to worry about, the better”.

I remember a few years ago someone was working on a fork of Adium because the original developers weren’t as active and didn’t patch the included liburple library of some vulnerabilities at the time that were a concern. This fork removed other protocol transports to reduce the amount of code and hardened some other things (updated included OTR build). Sadly it seems the source was never released and it’s abandoned, but I appreciate the idea.


The problem with libpurple is, that maintenance in general is not highly active. If you ask people in the XMPP community, they all advise against it, and few people in the XMPP community use or recommend Pidgin or Adium. Many new, important XMPP features of the last years are either not implemented in libpurple or so far only available as third party plugins or patches.
Anyway, with some work, the plugins and patches can be integrated and the work done by Purism can even help Pidgin and Adium. The security situation of libpurple doesn’t seem worse than with most typical C libraries. Which is not very good, but that’s a much more general problem than only libpurple.
If one is mainly interested in XMPP and does not care about SMS much, one can easily install Dino or Gajim on Librem 5, which do not use libpurple and do support modern XMPP features such as OMEMO encryption.