About libpurple's g_markup_escape_text() bug

Diego Bauche Madero diegobauche at gmail.com
Sat Oct 1 16:38:32 EDT 2011

Actually, "Diego Bauche Madero from IOActive" please, sorry for the trouble :P


On Sat, Oct 1, 2011 at 3:37 PM, Diego Bauche Madero
<diegobauche at gmail.com> wrote:
> Actually, can you please use my name with my email being
> diego.madero at ioactive.com?, I think my job has me on a "All your
> research belongs to us" diet... :P
> About what happened... I guess the first thing I did was... I went
> into the Developer website and looked how to submit a bug report. Went
> inside to look for a security address. Couldn't find it. I somehow
> managed to find a webpage listing the past security problems and
> wasn't there either.
> In reality though, it's not that hard to find it (On a second try,
> Just searching for "Security" did the trick), So it was actually just
> my fault in any case (Searching for "Security" does the trick, getting
> at the "SecurityVulnerabilityProcess" page). But I think it would be
> helpful to include it inside the "Tips for Bug Reports" site in any
> case so dumb users like me won't get lost.
> Cheers!
> --Diego
> On Sat, Oct 1, 2011 at 3:03 PM, Ethan Blanton <elb at pidgin.im> wrote:
>> Diego Bauche Madero spake unto us the following wisdom:
>>> I usually do not disclose such bugs in this manner. I just couldn't
>>> find a way to report a security bug (And... I'm guessing that the
>>> email address for security@ was somewhere inside the page, I was just
>>> dumb enough not to find it... My apologies if I caused any trouble).
>>> I'm not releasing a PoC in any case (Even though it's easy to trigger
>>> anyway). I'll be careful to report such bugs to security@ next time.
>> If you have any suggestions for how to make the existence of security@
>> more public (without confusing people who don't need to find it), we
>> would love to hear it.  This is not the first time we've had this
>> come up, and we've made (I think) positive changes in the past.
>>> Sure, you can use my Name and Email address for the CVE request.
>> Thank you!
>> Happy bug hunting.  ;-)
>> Ethan
>> Version: GnuPG v1.4.10 (GNU/Linux)
>> iQEVAwUBTodyJv8fixZ3H8crAQhknQgAkAKe8zz9tVrVd6F5h5m4+495vA3qSJDA
>> M69K4AzwgN4/EFP/lQTEy6KPBizzalhdEFMOOdaDgyL4hlbcwyWmPgvNqHXItVg8
>> 8LM79GrA6i48ECClHrmIxWuiWnoF7x6ArQJE1uzymemGpQQCz4rdHXCBYA7Hc1Jh
>> OJuhfaTTLMWYtwyVpsbHqwysIt09LhhlOIlIdwSh0vbanti0EGTLkF9y+uoRbwtP
>> AZ9hyUGOKQXJiE74ENHada4gMhYP0/8IyVy4LzPv6KTAf6wkep1Q4w==
>> =QIl7
>> -----END PGP SIGNATURE-----

More information about the security mailing list