security review and patches for libpurple
Paul Aurich
paul at darkrain42.org
Mon Jul 18 13:38:36 EDT 2011
On 2011-07-17 18:58, Ethan Blanton wrote:
> There are only two (I think?) strlcpy patches that I'm going to reject
> from this round, all of the others are applied (possibly with some
> changes or another to make them more robust in context). The ones
> which I'm going to kick out for this round do hilight places we should
> fix, I just think we should factor the problem out differently to
> eliminate it. I hope to have commentary on the patches I don't apply
> soon. In fact, I may document this stuff before I finish all of the
> patches, just so they don't get lost in the shuffle.
>
> With that in mind, I'd like to ask again if there are any objections
> to my committing these patches to ipp without embargo or a coordinated
> release. If not, I will land them some time tomorrow. If anyone even
> simply thinks we should wait a few days or get additional input before
> landing them, that's fine, too.
I'd also like to extend my thanks to the EFF and Jacob for this work.
I've been silent up to this point largely because I agree with Ethan's
responses.
Regarding this first set of patches, I had a bit of trouble following
the discussion over specific ones which are maybe papering over more
fundamental issues (or could be fixed in a better way) due to lack of
context, but of the ones I've looked at, I've been satisfied with them.
I have no problem committing these (strlcpy patches) without an embargo.
>
> Ethan
>
~Paul
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110718/1565178d/attachment.pgp>
More information about the security
mailing list