Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability
Daniel Atallah
daniel.atallah at gmail.com
Mon Aug 8 13:14:35 EDT 2011
On Mon, Aug 8, 2011 at 01:54, Mark Doliner <mark at kingant.net> wrote:
> Does this sound accurate to everyone?
> * We shouldn't prompt the user "are you sure?" when they click a file:// link.
> * We're ok with the "open" action for file:// links opening a file
> explorer window at the given location.
> * We like Eion's patch.
> * We don't need to be concerned about any other URI handlers.
> * We can bundle this fix with the other security fixes we'll need to
> release sometime in the next week or two.
> * We should not release info about this issue publicly until after we
> release a version of Pidgin with Eion's patch.
> * We don't need a CVE# for this issue because we're not actually doing
> anything wrong (we're just making it easier for the user to do
> something dumb).
I'm good with all of this except the "We don't need a CVE#" portion.
I don't disagree with the sentiment, but I assume that the original
reporter will need (or perhaps already has?) some sort of CVE because
he plans to disclose the issue himself at some point.
-D
More information about the security
mailing list