PGP key for vulnerability reports
Tomasz Wasilczyk
twasilczyk at pidgin.im
Mon Nov 25 11:08:04 EST 2013
W dniu 25.11.2013 14:48, Ethan Blanton pisze:
> Tomasz Wasilczyk spake unto us the following wisdom:
>>> The four bugs are:
>>>
>>> 1. A bug in libgadu that has probably been fixed by Tomasz by this
>>> point, although he'll have to verify that, and it might not yet be
>>> included upstream (I have no idea).
>>
>> I confirm the bug still exists, both in 2.x.y and 3.0.0 branches. A
>> simple patch is attached to this mail.
>
> OK, that's unfortunate, but it's great that it's patched now!
I've just committed it to private/main repository.
>> This bug is exploitable only by attacker with ability to spoof GG
>> service provider domains. Should I keep the non-disclosure procedure
>> for it (committing a patch only to /private/main/), or commit both
>> to public 2.x.y and upstream libgadu repository?
>
> Even though it requires spoofing the server, I would embargo it. It's
> still a remote vulnerability.
Fine, I'll commit it upstream just after 2.10.8 release.
Tomek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4225 bytes
Desc: Kryptograficzna sygnatura S/MIME
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20131125/d3a6eea6/attachment.bin>
More information about the security
mailing list