PGP key for vulnerability reports

Tomasz Wasilczyk twasilczyk at pidgin.im
Mon Nov 25 11:08:04 EST 2013


W dniu 25.11.2013 14:48, Ethan Blanton pisze:
> Tomasz Wasilczyk spake unto us the following wisdom:
>>> The four bugs are:
>>>
>>> 1. A bug in libgadu that has probably been fixed by Tomasz by this
>>>     point, although he'll have to verify that, and it might not yet be
>>>     included upstream (I have no idea).
>>
>> I confirm the bug still exists, both in 2.x.y and 3.0.0 branches. A
>> simple patch is attached to this mail.
>
> OK, that's unfortunate, but it's great that it's patched now!

I've just committed it to private/main repository.

>> This bug is exploitable only by attacker with ability to spoof GG
>> service provider domains. Should I keep the non-disclosure procedure
>> for it (committing a patch only to /private/main/), or commit both
>> to public 2.x.y and upstream libgadu repository?
>
> Even though it requires spoofing the server, I would embargo it.  It's
> still a remote vulnerability.

Fine, I'll commit it upstream just after 2.10.8 release.

Tomek

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4225 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131125/d3a6eea6/attachment.bin>


More information about the security mailing list