Remote crash in gaim-text
Mark Doliner
mark at kingant.net
Tue Mar 6 02:09:52 EST 2007
On Sun, 25 Feb 2007 21:39:41 +1100, Richard Nelson wrote
> I have a (possibly exaggerated) concern; revision f59170f3 fixes a
> vulnerability (definitely remote crash, probably remote code
> execution) that exists in gaim-text 2.0.0b6. It's very easy to
> trigger (have a buddy change their name to a format string, while
> you have the buddy list visible), and svn users/downstream don't
> have the fix.
I guess we should probably publicize this and get a CVE number and what not.
Is there anyone that thinks we SHOULDN'T? Unless someone objects, wabz, do
you think you could write up some info on the vulnerability? You can look at
http://gaim.sourceforge.net/security/ for some examples. I think we need
brief title, a summary, description, and description of the fix. (Title and
summary are extremely similar... we should consider getting rid of one of those.)
How does this sound: We check in a fix to MTN as soon as possible We hold
off on checking a fix into Subversion so as to avoid people noticing the bug
(unless the fix is already been checked in?). We wait to contact the CVE
people until we have a firm release date, and we set the embargo date to be
the same as the release date. Then we release Pidgin 2.0 containing the fixed
version, as well as email a patch for Gaim 2.0.0 to the packagers mailing list.
Luke, you've been in contact with the CVE people recently, right? When the
time comes, would you want to handle coordinating with them on this?
-Mark
More information about the Cabal
mailing list