Buffer overflow in MXit image command

[Ulf Härnhammar]

Hello,

On Wed, May 23, 2012 at 7:54 PM, Ethan Blanton <elb at pidgin.im> wrote:
> Thank you for identifying this bug, with details, and bringing it
> directly to us via this security list.  As this is a remotely
> exploitable bug, we will coordinate a Pidgin release with the various
> packagers of Pidgin and other libpurple-based projects

Sounds great!

> 1) To the best of your knowledge, is anyone else aware of this bug who
>   might disclose it publically, or has it been reported to any public
>   tracker or mailing list?  The answer to this question will affect
>   both the method by which we request a CVE for this vulnerability,
>   and the manner in which the patch is ultimately released.

Not published anywhere, as far as I know. I did send it to Beyond
Security's SSD program that deals with security vulnerabilities, to
make some money from it :) but they shipped around a summary of it to
their customers who didn't seem interested. Beyond Security are
professionals, so I don't think they'll leak it, eventhough they have
all details.

> 2) How do you wish to be credited for this discovery?  (Name, email
>   address, etc.; affiliation is appropriate.)

Just as "Ulf Härnhammar", please.

> 3) Are there any other details regarding this disclosure that you
>   think we should be aware of?  For example, does a CVE already
>   exist, is there an organization which will be disclosing it
>   directly after coordinating with us, etc.

No, nothing special.

> I am sure that we can.  Please be aware that our coordinated release
> process often takes some time, due to the number of projects and
> organizations involved.  Feel free to request an update if things seem
> to be stalled, but please have patience with us if it takes a few
> days/weeks.  :-)  The potential severity of this bug will likely fast
> track it, although if we have to coordinate with MXit, they are often
> slow to respond.

I'm in no hurry, so that's OK.

Regards,
Ulf