security review and patches for libpurple
Dan Auerbach
dtauerbach at eff.org
Wed Jun 29 20:21:02 EDT 2011
Hi Pidgin Security Team,
We at the Electronic Frontier Foundation are dedicated to ensuring
people have the ability to engage in private and secure communication.
As we believe the open source suite of tools based on libpurple can and
should be used for this purpose (most securely via the Off-The-Record
Messaging protocol), we think it is vital to ensure that the software is
secure and safe from attack. As such, we hope to begin to partner with
you in doing an audit of security vulnerabilities surrounding libpurple
and dependent libraries, and providing patches. In this introductory
email, we have included some simple initial changes that we believe are
in keeping with best practices, as well as some changes that close
potential vulnerabilities. In the coming couple of months, we hope to do
a thorough audit, and plan to stay communicative about vulnerabilities,
offering patches where we are able to do so. Our goal is to work with
you, so please let us know the preferred way to interface with your team
for disclosing and patching these vulnerabilities beyond the security
vulnerability disclosure page.
Attached is a document outlining and summarizing suggested changes,
along with the patches we provide. I have also attached a tar.bz2 of
diffs, generated using "mtn diff", and a build log. Please see the
document for the information requested in
http://developer.pidgin.im/wiki/SecurityVulnerabilityProcess.
We would also like to thank Jake Appelbaum (cc'ed) for this help with
the review process; we hope to collaborate with him for future steps of
this review.
Sincerely,
Dan and Chris, Electronic Frontier Foundation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: build.tar.bz2
Type: application/x-bzip
Size: 14 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110629/5c3197ba/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple_init.tar.bz2
Type: application/x-bzip
Size: 9742 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110629/5c3197ba/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libpurple-notes-initialreview.odt
Type: application/vnd.oasis.opendocument.text
Size: 42764 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20110629/5c3197ba/attachment-0001.odt>
More information about the security
mailing list