MXit PRPL user-supplied file paths

Mark Doliner mark at
Wed Jan 9 03:17:51 EST 2013

On Sun, Jan 6, 2013 at 1:35 PM, Ethan Blanton <elb at> wrote:
> I believe we need a CVE and embargo even if all of this is generated
> by the MXit servers.  Why should MXit users trust the MXit servers
> implicitly?  This is a vulnerability.

Ok, I'll request a CVE for these two MXit issues a bit later.  I think
the policy is for just one CVE for the two issues, since they have a
similar root cause.  And I'll apply my patch when the time comes for
us to do the patch release.

I need to read through a few other recent security emails before
putting together the release and talking to packagers, but I'll try
not to drag my feet too long :-/

More information about the security mailing list