Insomnia Security Advisories: Pidgin IM Insecure URL Handling Vulnerability

James Burton james.burton at insomniasec.com
Tue Aug 9 18:54:59 EDT 2011


Hi Mark,

Thanks for the update, sounds good. If you could emailthe update
information once its available I'll update my advisory & schedule its
release.

Regards


On 9/08/2011 1:37 p.m., Mark Doliner wrote:
> Hi James!
>
> We've talked about this a little more and here's what we're planning to do:
> * We have a patch that changes the behavior of the "open" action for
> file:// links.  Instead of executing them, we'll open a file browser
> at the given location.
> * We don't think we need to be concerned about any other URI handlers
> because they're all filtered through the user's preferred web browser,
> and the browser will display appropriate warnings to the user.
> * We're hoping to release a fix for this sometime in the next week or
> two.  We'll keep you updated when we figure out the exact date.  It
> will hopefully be before August 20 (you said "a month from now" on
> July 20).
> * We don't think we need a CVE number for this because the issue isn't
> super horrible, but if you're planning on requesting one from the
> oss-security mailing list and they provide a CVE number to use then
> we'll certainly add it to the security blurb that we post on
> http://pidgin.im/news/security/
>
> Thanks,
> Mark


-- 

James Burton

Insomnia Security
http://www.insomniasec.com

-




More information about the security mailing list