security review and patches for libpurple

[Chris Palmer]

On Jul 18, 2011, at 9:46 PM, Jacob Appelbaum wrote:

> On a related topic - I'd like to share a bit of insider knowledge from
> the bug hunting community. I've just recently finished a nine day REcon
> stint and I wasn't too happy with what I heard about pidgin.
> Specifically, I've heard that people are trying to sell pidgin 0day but
> they're not finding any ethical buyers; that is to say that ZDI doesn't
> buy pidgin bugs and work to get them fixed. Meanwhile, I've directly
> seen that some of the digital arms dealing companies are making offers
> for pidgin/libpurple bugs. I assume that libxml2 bugs via pidgin are
> valid "pidgin bugs" in the arms dealing world.
> 
> I really think that a strong pidgin/libpurple security push is needed -
> something much larger than what a few developers might be able to
> accomplish on their own.

Successful patches devalue the work of arms dealers. The pleasure of doing that is reward enough, to me. :)

Being under concerted attack like this should motivate a unified approach to common C bug classes. All the integer overflows, buffer overflows, format string vulnerabilities, et c. should be ruled out by strict code guidelines. Only then can we focus on higher-level vulnerabilities, in the way that developers in less primitive languages get to do.


-- 
Chris Palmer
Technology Director, Electronic Frontier Foundation
https://www.eff.org/code