About libpurple's g_markup_escape_text() bug

Ethan Blanton elb at pidgin.im
Sat Oct 1 16:03:50 EDT 2011


Diego Bauche Madero spake unto us the following wisdom:
> I usually do not disclose such bugs in this manner. I just couldn't
> find a way to report a security bug (And... I'm guessing that the
> email address for security@ was somewhere inside the page, I was just
> dumb enough not to find it... My apologies if I caused any trouble).
> I'm not releasing a PoC in any case (Even though it's easy to trigger
> anyway). I'll be careful to report such bugs to security@ next time.

If you have any suggestions for how to make the existence of security@
more public (without confusing people who don't need to find it), we
would love to hear it.  This is not the first time we've had this
come up, and we've made (I think) positive changes in the past.

> Sure, you can use my Name and Email address for the CVE request.

Thank you!

Happy bug hunting.  ;-)

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111001/2d9a12c3/attachment.pgp>


More information about the security mailing list