security review and patches for libpurple
elb at pidgin.im
Tue Aug 9 15:36:58 EDT 2011
Mark Doliner spake unto us the following wisdom:
> On Tue, Aug 9, 2011 at 9:26 AM, Ethan Blanton <elb at pidgin.im> wrote:
> > In places, yeah. I think you'll find my changes less offensive than
> > their original patches, but certainly there are still checks which are
> > not really *right*, but will simply prevent crashes. As to whether
> > overrunning the string is better ... I can't say. Overrunning buffers
> > doesn't always lead to crashing, sometimes it leads to much more
> > subtle and difficult-to-identify bugs. When stacks get smashed, even
> > if there's a crash, it may not be easy to find from the backtrace.
> True, but they WOULD show up in valgrind.
Quite possibly true.
> > I'll push my changes here before long, and we can take a collective
> > look at them. If there's agreement that some of them are bad, or
> > could be fixed in a different, better way, or simply shouldn't be
> > touched, we can always revert.
> Cool, that sounds great to me. Do you know if there are changes that
> should be bundled with the other security patches in an embargoed
None of what I've processed so far. Some of the remaining patches,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 482 bytes
Desc: Digital signature
More information about the security