Remotely triggerable crash
phofin at gmail.com
Thu Sep 26 13:01:34 EDT 2013
You are welcome, and don't worry, I'll keep it secret.
Also, it's ok to use my full name and email for the credit:
Jaime Breva Ribes <jbrevaribes at gmail.com>
On 26 September 2013 18:43, Ethan Blanton <elb at pidgin.im> wrote:
> Pho spake unto us the following wisdom:
> > I've been playing with the XEP-0203 (Delayed Delivery), and i've found
> > the stanza:
> > <message type="chat" to="pho at jabberes.org/pichon" id="ab30a">
> > <body>die pidgin die</body>
> > <delay xmlns='urn:xmpp:delay' stamp='2038-09-10T23:05:37Z'/>
> > </message>
> > Remotely crashes (at least) pidgin 2.10.6 and 2.10.7 for Windows.
> > It just happens when the year is >=2038, and works on MUC too
> Thank you for the report! This is probably related to wraparound of a
> 32-bit time_t (as that happens sometime in 2038). We will look into
> Because this is a remotely triggerable crash, we request that you keep
> it secret until the Pidgin release in which it is fixed. We have a
> number of outstanding less serious bugs to fix, so there will probably
> be a release relatively soon. We will request a CVE for this
> vulnerability, set a release date for the corrected source, and
> coordinate with the various vendors and distributions that ship Pidgin
> and libpurple to release more or less simultaneously.
> In order to make sure that you get the appropriate recognition for
> discovery of this vulnerability, please let us know how you would like
> to be credited. The usual credit is full name and email address, but
> this is entirely up to you.
> We will make sure that you are notified of the embargo date and CVE
> information for this vulnerability in advance of the release that
> corrects it.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security