security review and patches for libpurple

Dan Auerbach dtauerbach at eff.org
Sun Jul 17 17:45:00 EDT 2011


Thanks for your help in integrating these patches, Ethan.

On 07/16/2011 02:58 PM, Ethan Blanton wrote:
> Dan Auerbach spake unto us the following wisdom:
>> Thanks for getting back to us so quickly. Please let us know if you
>> have follow-up questions about this initial set of bugs/patches, and
>> we will be in touch about future ones, keeping in mind to raise
>> issues though the process outlined below.
> Hi all,
>
> Thanks again for your conscientious review, documentation, and
> patches.  We're gearing up for a 2.9.1 release, and I'd like to get as
> many of these patches rolled in as possible.  "As possible" will be
> limited (unfortunately) mostly by developer time and energy, including
> my own, but we'll do our best!
>
> I do in fact have some questions, both for you and for the Pidgin
> team.
>
> I am planning on committing the not-a-bug-but-not-a-good-idea patches
> directly to the repository in the next couple of days.  This includes
> things like changing strcpy to strlcpy in places where there is no
> reason to believe that the strcpy is actually in error at this
> particular time.  If anyone (EFF, Pidgin, or otherwise) has any
> objection to that, please let me know.  I will wait a day or two to
> push my commits to allow comment.
>
> I will probably also include fixes for definitely-a-bug-but-not-
> remotely-exploitable conditions in this push.  This includes, for
> example, the old log reader, which may read date strings from disk
> into an insufficiently sized buffer.  Comments on this push are also
> welcome.
>
> I would like to make sure that the EFF gets the credit it deserves for
> this effort, and I would like your input on that matter.  We will
> certainly mention the EFF's contribution in the individual commits and
> in the ChangeLog, but I would like input from the EFF contributors on
> appropriate recognition; I cannot promise we will take any particular
> steps, but we will certainly take any suggestions into consideration.
> This may include things like a notice on the front page of pidgin.im,
> a blog post to our news feed, a badge on the footer of pidgin.im, etc.
> Please let us know what you think is appropriate, so that we can
> discuss it.
Chris Palmer and myself are the primary people on the EFF side, and Jake 
has been very helpful in assisting in the first round of patches. I 
can't speak for either of them, but I'm not at all worried about 
appropriate recognition---really anything is fine. Much more important 
is having a good relationship with you and the Pidgin team so we can 
work together for this and future security-related patches.

> Ethan



More information about the security mailing list