Jabber OOB Transfer security issue

Matt Jones matt at volvent.org
Thu Sep 26 00:45:26 EDT 2013

I agree with this, definitely, good to know.

Will continue to send through issues I find.


On Thu, Sep 26, 2013 at 1:57 PM, Ethan Blanton <elb at pidgin.im> wrote:
> Matt Jones spake unto us the following wisdom:
>> You may be right - perhaps there are constraints in place that make
>> this a situation which is impossible to trigger or exploit, but I've
>> seen very similar issues in other software over the years and
>> sometimes they are exploitable - so I think it's safer to just correct
>> this dangerous construct and not speculate.
> Yes, I completely agree.  An analysis of likely exploitability is
> reasonable, though, for determining things like whether there should
> be an embargo and/or a CVE.  I don't think anyone was suggesting that
> errors like this should not be fixed!  We appreciate any and all
> feedback on dodgy code and potential security problems, even if
> they're not immediately exploitable.
> Ethan

More information about the security mailing list