Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

Daniel Atallah daniel.atallah at
Mon Aug 8 13:14:35 EDT 2011

On Mon, Aug 8, 2011 at 01:54, Mark Doliner <mark at> wrote:
> Does this sound accurate to everyone?
> * We shouldn't prompt the user "are you sure?" when they click a file:// link.
> * We're ok with the "open" action for file:// links opening a file
> explorer window at the given location.
> * We like Eion's patch.
> * We don't need to be concerned about any other URI handlers.
> * We can bundle this fix with the other security fixes we'll need to
> release sometime in the next week or two.
> * We should not release info about this issue publicly until after we
> release a version of Pidgin with Eion's patch.
> * We don't need a CVE# for this issue because we're not actually doing
> anything wrong (we're just making it easier for the user to do
> something dumb).

I'm good with all of this except the "We don't need a CVE#" portion.

I don't disagree with the sentiment, but I assume that the original
reporter will need (or perhaps already has?) some sort of CVE because
he plans to disclose the issue himself at some point.


More information about the security mailing list