PGP key for vulnerability reports
Ethan Blanton
elb at pidgin.im
Mon Nov 25 08:48:53 EST 2013
Tomasz Wasilczyk spake unto us the following wisdom:
> >The four bugs are:
> >
> >1. A bug in libgadu that has probably been fixed by Tomasz by this
> > point, although he'll have to verify that, and it might not yet be
> > included upstream (I have no idea).
>
> I confirm the bug still exists, both in 2.x.y and 3.0.0 branches. A
> simple patch is attached to this mail.
OK, that's unfortunate, but it's great that it's patched now!
> This bug is exploitable only by attacker with ability to spoof GG
> service provider domains. Should I keep the non-disclosure procedure
> for it (committing a patch only to /private/main/), or commit both
> to public 2.x.y and upstream libgadu repository?
Even though it requires spoofing the server, I would embargo it. It's
still a remote vulnerability.
Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131125/518bcda6/attachment.sig>
More information about the security
mailing list