security review and patches for libpurple

Ethan Blanton elb at pidgin.im
Sat Jul 16 17:58:43 EDT 2011


Dan Auerbach spake unto us the following wisdom:
> Thanks for getting back to us so quickly. Please let us know if you
> have follow-up questions about this initial set of bugs/patches, and
> we will be in touch about future ones, keeping in mind to raise
> issues though the process outlined below.

Hi all,

Thanks again for your conscientious review, documentation, and
patches.  We're gearing up for a 2.9.1 release, and I'd like to get as
many of these patches rolled in as possible.  "As possible" will be
limited (unfortunately) mostly by developer time and energy, including
my own, but we'll do our best!

I do in fact have some questions, both for you and for the Pidgin
team.

I am planning on committing the not-a-bug-but-not-a-good-idea patches
directly to the repository in the next couple of days.  This includes
things like changing strcpy to strlcpy in places where there is no
reason to believe that the strcpy is actually in error at this
particular time.  If anyone (EFF, Pidgin, or otherwise) has any
objection to that, please let me know.  I will wait a day or two to
push my commits to allow comment.

I will probably also include fixes for definitely-a-bug-but-not-
remotely-exploitable conditions in this push.  This includes, for
example, the old log reader, which may read date strings from disk
into an insufficiently sized buffer.  Comments on this push are also
welcome.

I would like to make sure that the EFF gets the credit it deserves for
this effort, and I would like your input on that matter.  We will
certainly mention the EFF's contribution in the individual commits and
in the ChangeLog, but I would like input from the EFF contributors on
appropriate recognition; I cannot promise we will take any particular
steps, but we will certainly take any suggestions into consideration.
This may include things like a notice on the front page of pidgin.im,
a blog post to our news feed, a badge on the footer of pidgin.im, etc.
Please let us know what you think is appropriate, so that we can
discuss it.

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110716/28fc3568/attachment.pgp>


More information about the security mailing list