PGP key for vulnerability reports

Richard Johnson rjohnson at sourcefire.com
Wed Nov 13 21:35:50 EST 2013 

Please find some of the security bugs we found attached. I've included my
public key exported to ascii as well. Let me know if you have any trouble
reproducing or understanding the bugs.


Cheers,

Richard Johnson
Vulnerability Development Lead
Sourcefire VRT


On Fri, Oct 11, 2013 at 4:28 AM, Ethan Blanton <elb at pidgin.im> wrote:

> Richard Johnson spake unto us the following wisdom:
> > Hello, our research team has found a number of vulnerabilities in
> > libpurple, including fully controlled remote execution. What is the
> proper
> > procedure for submitting bugs?
>
> You are following it.  :-) For security-related bugs, please send the
> details to this mailing list, and we will arrange for a CVE (unless
> you wish to do so yourselves), bug fix, embargo with our packagers,
> and a public release date.  As we are a large all-volunteer project,
> these things normallly take some time -- however, we will proceed as
> rapidly as possible for a remote execution vulnerability.  As I am
> sure you understand, we do ask that you respect the embargo date we
> set and withold your own publication until that date.  Please provide
> us with whatever crediting information you wish for us to include in
> the CVE and news items -- research institution, individual discoverer,
> email address, etc.
>
> If you wish to encrypt your report, you can encrypt it to my public
> key, 0x771fc72b.  I am currently traveling and there may be some
> latency for a confirmation, but I will distribute the information as
> appropriate.
>
> Ethan
>



-- 
Richard Johnson
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131113/dd8010a2/attachment-0001.html>
-------------- next part --------------
-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v2.0.22 (MingW32)



mQINBFJllhQBEADpSx4l8fi9uIz1UWWH2C0qb7So6mLL5sMLt7w4Qug3OwWIcs1B

Yj1AApEANOSjAAv7k8ojZpRQj08uiJRylnUf76swH/k9/rA4CFGCqkXErS4KDBH/

ql1zPq3nfAty97J4U22tSgpEnuA4ba15CSZksP75j5ppLr8ySVbhimTpS5eUpiyZ

evSE/Rhtb0hR+T8sS1V9XOw4akYdwcCikuEtEHtgv/xfcJh59sn9+AY7BCmOwUoK

NdCcWNeYL7D7svZG4O0xOSYT7cqm8Pr7NNrHBrM70abj8noBOIs8BRvReChkD3Lf

BGw+BDts+3pi4Oz/tSrEQbOZCD5ZuYtWqlTD65/NVjYiifhKCrB29Xje7EGMbW5n

wJZZrbz8f0d7mr2bfYa9BY6HiVVBo2SWXwJAaN8poY5b2LO+ar3f/0KdQ+iP5RyX

Vwa2EYs3uI6nNuACR6cZbx4CniToZCq+eFnmm3C8d6Hqon2RSpFRyKhgCblm1+Kh

lkD0f3f0mEohi7wtaaKUOTcOS/PNElv2DXus7EDODmIeJHTwJTXHEYQ3v6T+7j18

E/mTZnsHWakepCpiHZVL2fhlOm/vYKAEpeintnEws317hnso+/5WfBNt7p53HTre

1pv0nyFILo6KiFJIZvuuTkJ/2B+qp9LZ1w5usXBBWWLt15kUpt6sc80/AQARAQAB

tClSaWNoYXJkIEpvaG5zb24gPHJqb2huc29uQHNvdXJjZWZpcmUuY29tPokCOQQT

AQIAIwUCUmWWFAIbDwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEATr6og6

b8d8z0EP/1ve+Rs8T44V52KT/Ab4lMqodpsbxxdhWmlqOrI3umZkt2+S+9NIfDrl

rqwtYdaRbo2urWltAQOdHzC46hfDYEBEOyiZGSNUiqyH/yYKfYQ8BecudV/SP+tq

sLpP62RE52hsGj/pxXlnsUgOf4CbePbBiRiZarGbW0HC6mShp5zvs3cQ5tHyp0F0

2ghz4pLFsu5rCGf3DN3JHgzSdze5tCpVHhIqpGYGQWPBjHUqqEpCyI700lCRxtNW

lfRv3oGOG5hJkOWVil+o+ziXQh6mJXRHjQgqKKYavVsonwqdgbXHtrqolzO89RGp

SMfhyvuLbyx6u1GQeRLzGudKWMjgxD4UOSbzKCLbYzAG1Qdhvj35LA4FwcnONQDp

jLHi1xsDLXpTS6pP8iyxWhWPjBDMhmwypOGUsqd4suATRHop4P7itE4EsHayFBbY

Og0yJYgLqVwx/KQ3A3sKHqptZpreFrRhg3R0SyFnYXxTFVXgkKXW9TjDpKbggi9P

EVCO25nJwuBCtWR/wGbDETnuAFRWxUOVL4XcceV/nWhJMZLS6Zms6LT9Dyg7UJSR

0fWb78rWY4QDnT3C9zkn/o/KYMS2Tcba+OuWR1N4ho2vm3FtmJiJrz6CcND9ndlN

E3ByW0zPvC2ZLd6rvOQe4y3UqKO232B38GDxtpAVbzPdtH6Rr8ox

=Tkof

-----END PGP PUBLIC KEY BLOCK-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2013-1001 - Pidgin libpurple Gadu Gadu HTTP Content-Length Integer Overflow Vulnerability.txt.gpg
Type: application/octet-stream
Size: 1961 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131113/dd8010a2/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2013-1002 - Pidgin libpurple Mxit Emoticon Name Length Integer Overflow Vulnerability.txt.gpg
Type: application/octet-stream
Size: 1596 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131113/dd8010a2/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2013-1003 - Pidgin for Windows URL Handling Remote Code Execution Vulnerability.txt.gpg
Type: application/octet-stream
Size: 1249 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131113/dd8010a2/attachment-0006.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: VRT-2013-1004 - Pidgin libpurple SIP-SIMPLE Content-Length Integer Overflow Vulnerability.txt.gpg
Type: application/octet-stream
Size: 1354 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131113/dd8010a2/attachment-0007.obj>

More information about the security mailing list