About libpurple's g_markup_escape_text() bug

Ethan Blanton elb at pidgin.im
Sun Oct 2 12:07:57 EDT 2011


Diego Bauche Madero spake unto us the following wisdom:
> I saw the CVE request, I was wondering if you guys are also going to
> patch other code apart the SILC code after this...
> 
> PS: I hope not to get in any trouble because of my lousy way to
> disclose this!, heh :). I do hope you guys know I meant no harm.

Yes, we hope to.  Time is, of course, always at a premium.  I have
already closed a potential, related issue (though less dangerous than
the SILC issue) in the IRC prpl, and that change will be in 2.10.1. If
you identify other validation problems before 2.10.1 goes out with
this SILC change, we will do our best to make sure they are fixed
before release.  For example, I am going to try to get the other SILC
issue you mentioned patched.  Otherwise, we will just have to address
problems as we identify them.

As you can see from the ChangeLog, we identify and fix sanitization
errors from time to time during normal development.  Some protocol
plugins are thornier than others (such as MSN and Yahoo!), and some
are largely unmaintained and/or donated by a third party (both apply
to SILC), and these plugins tend to have more than their fair share of
issues.

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111002/d54ba66e/attachment.pgp>


More information about the security mailing list