Veracode static analysis results

Chris Wysopal cwysopal at Veracode.com
Wed Dec 5 15:18:31 EST 2012


Now with attachment.

From: Chris Wysopal
Sent: Wednesday, December 05, 2012 3:18 PM
To: 'security at pidgin.im'
Subject: Veracode static analysis results


Hello Pidgin Security Team,

A customer asked us to analyze Pidgin using our static analyzer.  Our responsible disclosure policy is to inform you of any findings so that you may have the chance to review, comment, and/or fix the issues.

I think the software performed very well on our analysis but there are a few issues we have found.  Attached is our full report. You can find the description of the issues found on pages 10-15. We found 1 Very High criticality. 5 Medium, and 47 low. Here is a summary.

Flaws by Severity and Scan Type
Severity

Total

Static

Very High

1

1

Untrusted Search Path

1

1

High

0

0

Medium

5

5

Cryptographic Issues

1

1

Directory Traversal

3

3

Race Conditions

1

1

Low

47

47

Error Handling

47

47

Very Low

0

0

Information

0

0


Please acknowledge receipt and if you have intentions of investigating and potentially fixing these issues.  If this is the case we will certainly give you time to address the issues before releasing any information outside of your team.

Cheers,
Chris

Chris Wysopal
CTO
Veracode
617-501-3277







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20121205/ccb57dee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DetailedReport_Pidgin_2-10-6---Linux_2012125143246766.pdf
Type: application/pdf
Size: 207863 bytes
Desc: DetailedReport_Pidgin_2-10-6---Linux_2012125143246766.pdf
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20121205/ccb57dee/attachment-0001.pdf>


More information about the security mailing list