Jabber OOB Transfer security issue
Matt Jones
matt at volvent.org
Thu Sep 26 00:45:26 EDT 2013
I agree with this, definitely, good to know.
Will continue to send through issues I find.
Thanks.
On Thu, Sep 26, 2013 at 1:57 PM, Ethan Blanton <elb at pidgin.im> wrote:
> Matt Jones spake unto us the following wisdom:
>> You may be right - perhaps there are constraints in place that make
>> this a situation which is impossible to trigger or exploit, but I've
>> seen very similar issues in other software over the years and
>> sometimes they are exploitable - so I think it's safer to just correct
>> this dangerous construct and not speculate.
>
> Yes, I completely agree. An analysis of likely exploitability is
> reasonable, though, for determining things like whether there should
> be an embargo and/or a CVE. I don't think anyone was suggesting that
> errors like this should not be fixed! We appreciate any and all
> feedback on dodgy code and potential security problems, even if
> they're not immediately exploitable.
>
> Ethan
More information about the security
mailing list