About libpurple's g_markup_escape_text() bug
Diego Bauche Madero
diegobauche at gmail.com
Sat Oct 1 16:37:15 EDT 2011
Actually, can you please use my name with my email being
diego.madero at ioactive.com?, I think my job has me on a "All your
research belongs to us" diet... :P
About what happened... I guess the first thing I did was... I went
into the Developer website and looked how to submit a bug report. Went
inside to look for a security address. Couldn't find it. I somehow
managed to find a webpage listing the past security problems and
wasn't there either.
In reality though, it's not that hard to find it (On a second try,
Just searching for "Security" did the trick), So it was actually just
my fault in any case (Searching for "Security" does the trick, getting
at the "SecurityVulnerabilityProcess" page). But I think it would be
helpful to include it inside the "Tips for Bug Reports" site in any
case so dumb users like me won't get lost.
On Sat, Oct 1, 2011 at 3:03 PM, Ethan Blanton <elb at pidgin.im> wrote:
> Diego Bauche Madero spake unto us the following wisdom:
>> I usually do not disclose such bugs in this manner. I just couldn't
>> find a way to report a security bug (And... I'm guessing that the
>> email address for security@ was somewhere inside the page, I was just
>> dumb enough not to find it... My apologies if I caused any trouble).
>> I'm not releasing a PoC in any case (Even though it's easy to trigger
>> anyway). I'll be careful to report such bugs to security@ next time.
> If you have any suggestions for how to make the existence of security@
> more public (without confusing people who don't need to find it), we
> would love to hear it. This is not the first time we've had this
> come up, and we've made (I think) positive changes in the past.
>> Sure, you can use my Name and Email address for the CVE request.
> Thank you!
> Happy bug hunting. ;-)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the security