The vulnerability lies in calling g_markup_escape_text() on strings
which have not been verified as valid UTF-8. This function is not
required to do anything reasonable with invalid UTF-8, and indeed
reads past the end of the string and will eventually segfault for
certain sequences in some versions of Glib 2. Because the behavior
of this function is undefined, and depends on the particular version of Glib 2 in use, the complete ramifications of this bug are unknown. Remote crashing of a libpurple client by untrusted users via specifically crafted SILC messages is a verified vulnerability.
This bug is believed to affect all releases of libpurple up to and including version 2.10.0.
*** This bug has been marked as a duplicate of bug 385073 ***