PGP key for vulnerability reports

Ethan Blanton elb at
Mon Nov 25 08:48:53 EST 2013

Tomasz Wasilczyk spake unto us the following wisdom:
> >The four bugs are:
> >
> >1. A bug in libgadu that has probably been fixed by Tomasz by this
> >    point, although he'll have to verify that, and it might not yet be
> >    included upstream (I have no idea).
> I confirm the bug still exists, both in 2.x.y and 3.0.0 branches. A
> simple patch is attached to this mail.

OK, that's unfortunate, but it's great that it's patched now!

> This bug is exploitable only by attacker with ability to spoof GG
> service provider domains. Should I keep the non-disclosure procedure
> for it (committing a patch only to /private/main/), or commit both
> to public 2.x.y and upstream libgadu repository?

Even though it requires spoofing the server, I would embargo it.  It's
still a remote vulnerability.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <>

More information about the security mailing list