Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability
Mark Doliner
mark at kingant.net
Mon Aug 8 21:37:36 EDT 2011
Hi James!
We've talked about this a little more and here's what we're planning to do:
* We have a patch that changes the behavior of the "open" action for
file:// links. Instead of executing them, we'll open a file browser
at the given location.
* We don't think we need to be concerned about any other URI handlers
because they're all filtered through the user's preferred web browser,
and the browser will display appropriate warnings to the user.
* We're hoping to release a fix for this sometime in the next week or
two. We'll keep you updated when we figure out the exact date. It
will hopefully be before August 20 (you said "a month from now" on
July 20).
* We don't think we need a CVE number for this because the issue isn't
super horrible, but if you're planning on requesting one from the
oss-security mailing list and they provide a CVE number to use then
we'll certainly add it to the security blurb that we post on
http://pidgin.im/news/security/
Thanks,
Mark
More information about the security
mailing list