PGP key for vulnerability reports

Ethan Blanton elb at pidgin.im
Mon Nov 25 08:48:53 EST 2013


Tomasz Wasilczyk spake unto us the following wisdom:
> >The four bugs are:
> >
> >1. A bug in libgadu that has probably been fixed by Tomasz by this
> >    point, although he'll have to verify that, and it might not yet be
> >    included upstream (I have no idea).
> 
> I confirm the bug still exists, both in 2.x.y and 3.0.0 branches. A
> simple patch is attached to this mail.

OK, that's unfortunate, but it's great that it's patched now!

> This bug is exploitable only by attacker with ability to spoof GG
> service provider domains. Should I keep the non-disclosure procedure
> for it (committing a patch only to /private/main/), or commit both
> to public 2.x.y and upstream libgadu repository?

Even though it requires spoofing the server, I would embargo it.  It's
still a remote vulnerability.

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131125/518bcda6/attachment.sig>


More information about the security mailing list