PGP key for vulnerability reports

Ethan Blanton elb at
Wed Nov 13 21:56:10 EST 2013

Richard Johnson spake unto us the following wisdom:
> Please find some of the security bugs we found attached. I've included my
> public key exported to ascii as well. Let me know if you have any trouble
> reproducing or understanding the bugs.

Quick summary to the list; we'll have to figure out how to distribute
these privately, or whether we just want me to send the unencrypted
disclosures to the list.

The four bugs are:

1. A bug in libgadu that has probably been fixed by Tomasz by this
   point, although he'll have to verify that, and it might not yet be
   included upstream (I have no idea).

2. A NULL dereference in Mxit; they say it's remotely exploitable if
   you can "allocate enough memory that the kernel maps the lowest
   page" (paraphrased), which is bogus on Unix, but maybe Windows
   sucks like that.  Either way it's a remote crasher.  Can only be
   initiated by the server, but that's no excuse.

3. Our Windows URL sanitizing is totally broken and they showed an
   example of why.

4. SIP SIMPLE can be caused to NULL dereference.  I think this is
   probably a more general logic bug, but it's a remote crasher either
   way.  They make the same claims as #2.


More information about the security mailing list