PGP key for vulnerability reports

Ethan Blanton elb at pidgin.im
Mon Nov 18 17:09:01 EST 2013 

Richard Johnson spake unto us the following wisdom:
> Ethan, can you please confirm receipt of these vulns?

Sorry, yes, we got them!  We haven't formulated a release plan yet.

Just as a quick hit, I believe the GG bug is fixed upstream (or
pending an upstream fix), the Mxit and SIP bugs are remote crashers
but not exploitable (no operating system on which Pidgin is routinely
run maps the first page of memory), and the URL handling bug is the
worst of the lot.

We will let you know when we've arranged a release; there are several
issues that have to be coordinated for this, so it is likely to take
some time.  If you have specific deadlines please let us know and we
will try to work them in.

Ethan

> 
> On Wed, Nov 13, 2013 at 8:35 PM, Richard Johnson <rjohnson at sourcefire.com>wrote:
> 
> > Please find some of the security bugs we found attached. I've included my
> > public key exported to ascii as well. Let me know if you have any trouble
> > reproducing or understanding the bugs.
> >
> >
> > Cheers,
> >
> > Richard Johnson
> > Vulnerability Development Lead
> > Sourcefire VRT
> >
> >
> > On Fri, Oct 11, 2013 at 4:28 AM, Ethan Blanton <elb at pidgin.im> wrote:
> >
> >> Richard Johnson spake unto us the following wisdom:
> >> > Hello, our research team has found a number of vulnerabilities in
> >> > libpurple, including fully controlled remote execution. What is the
> >> proper
> >> > procedure for submitting bugs?
> >>
> >> You are following it.  :-) For security-related bugs, please send the
> >> details to this mailing list, and we will arrange for a CVE (unless
> >> you wish to do so yourselves), bug fix, embargo with our packagers,
> >> and a public release date.  As we are a large all-volunteer project,
> >> these things normallly take some time -- however, we will proceed as
> >> rapidly as possible for a remote execution vulnerability.  As I am
> >> sure you understand, we do ask that you respect the embargo date we
> >> set and withold your own publication until that date.  Please provide
> >> us with whatever crediting information you wish for us to include in
> >> the CVE and news items -- research institution, individual discoverer,
> >> email address, etc.
> >>
> >> If you wish to encrypt your report, you can encrypt it to my public
> >> key, 0x771fc72b.  I am currently traveling and there may be some
> >> latency for a confirmation, but I will distribute the information as
> >> appropriate.
> >>
> >> Ethan
> >>
> >
> >
> >
> > --
> > Richard Johnson
> > Sourcefire VRT
> >
> 
> 
> 
> -- 
> Richard Johnson
> Sourcefire VRT
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131118/ec2491eb/attachment.sig>

More information about the security mailing list