Jabber OOB Transfer security issue

Ethan Blanton elb at pidgin.im
Wed Sep 25 23:27:55 EDT 2013


Matt Jones spake unto us the following wisdom:
> You may be right - perhaps there are constraints in place that make
> this a situation which is impossible to trigger or exploit, but I've
> seen very similar issues in other software over the years and
> sometimes they are exploitable - so I think it's safer to just correct
> this dangerous construct and not speculate.

Yes, I completely agree.  An analysis of likely exploitability is
reasonable, though, for determining things like whether there should
be an embargo and/or a CVE.  I don't think anyone was suggesting that
errors like this should not be fixed!  We appreciate any and all
feedback on dodgy code and potential security problems, even if
they're not immediately exploitable.

Ethan


More information about the security mailing list