Buffer overflow in MXit image command

Ulf Härnhammar ulfharn at gmail.com
Tue May 29 10:28:40 EDT 2012 

Any news on this?

// U.

On Wed, May 23, 2012 at 8:02 PM, Ulf Härnhammar <ulfharn at gmail.com> wrote:
> Hello,
>
> On Wed, May 23, 2012 at 7:54 PM, Ethan Blanton <elb at pidgin.im> wrote:
>> Thank you for identifying this bug, with details, and bringing it
>> directly to us via this security list.  As this is a remotely
>> exploitable bug, we will coordinate a Pidgin release with the various
>> packagers of Pidgin and other libpurple-based projects
>
> Sounds great!
>
>> 1) To the best of your knowledge, is anyone else aware of this bug who
>>   might disclose it publically, or has it been reported to any public
>>   tracker or mailing list?  The answer to this question will affect
>>   both the method by which we request a CVE for this vulnerability,
>>   and the manner in which the patch is ultimately released.
>
> Not published anywhere, as far as I know. I did send it to Beyond
> Security's SSD program that deals with security vulnerabilities, to
> make some money from it :) but they shipped around a summary of it to
> their customers who didn't seem interested. Beyond Security are
> professionals, so I don't think they'll leak it, eventhough they have
> all details.
>
>> 2) How do you wish to be credited for this discovery?  (Name, email
>>   address, etc.; affiliation is appropriate.)
>
> Just as "Ulf Härnhammar", please.
>
>> 3) Are there any other details regarding this disclosure that you
>>   think we should be aware of?  For example, does a CVE already
>>   exist, is there an organization which will be disclosing it
>>   directly after coordinating with us, etc.
>
> No, nothing special.
>
>> I am sure that we can.  Please be aware that our coordinated release
>> process often takes some time, due to the number of projects and
>> organizations involved.  Feel free to request an update if things seem
>> to be stalled, but please have patience with us if it takes a few
>> days/weeks.  :-)  The potential severity of this bug will likely fast
>> track it, although if we have to coordinate with MXit, they are often
>> slow to respond.
>
> I'm in no hurry, so that's OK.
>
> Regards,
> Ulf

More information about the security mailing list