security review and patches for libpurple

Paul Aurich paul at darkrain42.org
Mon Jul 18 13:38:36 EDT 2011


On 2011-07-17 18:58, Ethan Blanton wrote:
> There are only two (I think?) strlcpy patches that I'm going to reject
> from this round, all of the others are applied (possibly with some
> changes or another to make them more robust in context).  The ones
> which I'm going to kick out for this round do hilight places we should
> fix, I just think we should factor the problem out differently to
> eliminate it.  I hope to have commentary on the patches I don't apply
> soon.  In fact, I may document this stuff before I finish all of the
> patches, just so they don't get lost in the shuffle.
> 
> With that in mind, I'd like to ask again if there are any objections
> to my committing these patches to ipp without embargo or a coordinated
> release.  If not, I will land them some time tomorrow.  If anyone even
> simply thinks we should wait a few days or get additional input before
> landing them, that's fine, too.

I'd also like to extend my thanks to the EFF and Jacob for this work.
I've been silent up to this point largely because I agree with Ethan's
responses.

Regarding this first set of patches, I had a bit of trouble following
the discussion over specific ones which are maybe papering over more
fundamental issues (or could be fixed in a better way) due to lack of
context, but of the ones I've looked at, I've been satisfied with them.

I have no problem committing these (strlcpy patches) without an embargo.

> 
> Ethan
> 

~Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110718/1565178d/attachment.pgp>


More information about the security mailing list