PGP key for vulnerability reports

Sun Jan 12 04:20:34 EST 2014

Questions for Robert and Yves: Are you ok with us requesting CVE
numbers for these from our contact at Red Hat? Can we give credit to
you for finding these problems (in our ChangeLog, vulnerability
posting at https://pidgin.im/news/security/, and in our request for
CVE numbers)? If so, who should we credit? "Discovered by Sourcefire
VRT"? "Discovered by Yves Younan, Sourcefire VRT"?

Our fixes for all four issues are attached, encrypted for
rjohnson at sourcefire.com. I would like to request CVE numbers from our
contact at Red Hat on Mon, Tue or Wed. I would like to set an embargo
date of Jan 23, morning US pacific time. Does this sound ok to
everyone? I'm flexible.

VRT-2013-1001, VRT-2013-1002, and VRT-2013-1004: Tomasz and I both
confirmed that these bugs exist in Pidgin 2.10.7. Tomasz has committed
fixes for all of them to our private 2.x.y branch (revisions
ec15aa187aa0, 4c897372b5a4, and 6bd2dd10e5da, respectively).
Additionally, for VRT-2013-1001 (the Gadu-Gadu bug) Tomasz will commit
the fix to upstream libgadu after we've released our 2.10.8 publicly.

VRT-2013-1003 (exec'ing file:// links in Windows and elsewhere) is the
least straight-forward of the bunch. This bug was actually reported to
us in 2011 and we attempted to improve it then. We even got a CVE
number and added the buggy code "if uri_starts_with_file://file://
then show it in Explorer." See https://pidgin.im/news/security/?id=55
for details.

I think this is mostly only a problem on Windows. For most other
configurations we either open a file manager or prompt the user.

The current behavior is:
- If Windows and link is "file://file://blah" then open Explorer at
the file's location.
- Otherwise, if Windows then attempt to exec the file.
- Otherwise, if 'gnome-open' exists and GNOME_DESKTOP_SESSION_ID env
variable is set then open file browser at the file's location (on
Ubuntu 13.04, at least) using "gnome open /usr/bin/blah".
- Otherwise, if 'kfmclient' exists and KDE_FULL_SESSION and KDEDIR env
vars are set then prompt the user "are you sure you want to exec
/usr/bin/blah?" (on Ubuntu 13.04, at least) via Konqeror using
"kfmclient openURL /usr/bin/blah"
- Otherwise, if on OSX then "open /usr/bin/blah." I think this
sometimes execs the file.
- Otherwise, use user's configured web browser. Firefox prompts.
Chrome downloads the file (or would presumably display it if it's HTML
or image).

The ideal behavior that I would like to see is:
1. User clicks file:// link
2. Something shows the user a dialog "WARNING: Opening this is
dangerous. Are you sure you want to continue?" This dialog could be
Pidgin, or could be handled by the OS, desktop environment, file
manager, browser, etc.

I also think it's acceptable for us to pop open a file browser at the
file's location, but not as user-friendly and not any safer for the
user.

Disabling file:// links completely is reasonable, but I think it's
more extreme than need be.

I fixed the brokenness of our Windows link opening code in revision
b2571530fa8b. I'd prefer for us to wait until 3.0.0 to add an "are you
sure?" confirmation prompt.
-------------- next part --------------
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (GNU/Linux)

hQIMAwTr6og6b8d8ARAApIqhppiRjLlS0GvSiRsVd6idjN8s7kupO9wtK2cbKiIz
uvFQxwAE6MCWmRVaCjUT0FZIYlDjl5heQ8ET1zANDqHLV6GirzPDzvvv0qGi/MoW
tVkEFcRJSc7xmQrFhaP33sjUeZoScM2MVAVm19TSeMz91rh8TpOOY3+mDNsQpGfV
uAOqMEFpefOOmh8ClYNLd+diEqeugJtRDUExdZtP6JScfgjd0MBh2O7iPjZOOdP9
uVKoU0aa9yTWe1DDNPBIZFb+rCywKZWBBr7frYrZg1NnO8On/sMD3AbIl+oPqply
KDOMZhY6GTwZXlt66uyhxv+9AfhITuUmCkGwcj1Jxk48a6FnXPxuLEqWOEaj/uFE
2twRFbnqIODRLwygxKJefu7mUluwZhrUX/cIAw5eNjGSz8sKsry86sizYHCa1zBn
fspfpAOCrLNPRqZSfz5vNzHzq1CZMkFluIBlnWSD1oKeYYLv8rt+nlARhjJ1oPAp
va5nIDwB60rKTL7cBWQcHINRaM3aVwtM151RNcp/YKOhKfvEeHW2q56uUe//YUMu
173DZwNfndXCCsgTYizTJZF8WEc2uL4pD7brcjmnbf1l6sWzaNXz+ATS2QMRnHlj
YxWkFk2KJNGIFOmvEXBjlvIthx/PKBQXwDdO4vD4E+Y86EHpn8w2dKVWfpQ+6OTS
6wFLnaB0yDB58D7tOM5DxsaamaGq+LHABBjVBNgwfdfXDwQuSkm1yVND9m/KlS0X
mdnab6yowwwBZgBuM92W6pMmeGjqwBrJdsGffg5JTxiMvb9grZoYt/TJ5b0H8uLV
1RWnQLHCaXre876phjiYIv0lufKMQR0qVmiz8N13NQlQBfQFRAxqtQQ7jg55ex5v
5wNzxfyP+PpYQnsA4bb5XeF1lPv0C1n7vFHARY9B+DCyCbVPbCb5eu4NrRJbmNYq
6XPzmpggJxMYPN35UGXmPlN0Xd2z4TjrxtNM5x4T0Mlhn/X6UjjFgus2JmT9i2Dd
dGYcVD757ng2bwhAq1Eqppk0SJ62Nlbk65LJS0mWvzMqAW3GkvT9M8Fayq+uPFcp
/dNpu+PbVotYs5WW9B7mKEGKiuyONFF5S67yvV/BR2MDNQ5yzHcEJStbeCU/MsFQ
NMtMxmbku1InBrjMh2vdVCjmIKWH4pEnN9x+SXrhNh3TC8Ubva/frl7KJGj4KhR/
mZjhBEe68KOLP3Qu8wr0V8+zP6RT9Sui2pSaEjTT6PdeQDqCNWLm44+IDSMqwTm2
zoS2/WDO2g6iSaE19WJzGan3yacqkZ3NIx35FFN6x+1pcW0H2nNo0VM9xRq5ZSSm
OVkExM7ej71lXuDC7OtEnZk/YXxO2I6rDy66pSSlptXprU9IvbPdDUNzTdVpnEBO
Yds/Z0VyPCbcx/nKCVmXlaUNXOrWekJnOqzn20xVO064REQGT1fDBtoU1I/jioGm
u9EI5RqhC66UetH6g3bl0krPcSIpbD2ZS6tclM3YqyoOEU5G5w/Npo87oA9iou4a
aELHyGeuDnnjrJQmK91gMAsIzzzMhSeQ+Wb1SISKySusaoVj6Fb0wTjw646S9VCg
Ufd1lbd49eNYPUFGjDbRr5GQzxgzLqyltgZks5cR0NkWoS+Rc9LyJE29t/tKXEIN
XjAnlWVQMsMqo+AbX+2taO6XcAtP+6ncNPhDkQkiXUARXbTdrgYIpVU7vS/SFfz/
OAjmC3VD8pJSr30BaPGKAEH9OjjKxbBGIHL4HtgCF6gMemQjfNyPUInmvsI/bQYm
4ZTCepFalDTR+xREOm21HVT5j0sITd4zevHVqelHU+BwSsoKtYnJ/VRUu5wSfDdD
KVGbqL1fVABz0S37qRIDzigfdX3pTKXMdcYtyb5GCkXBa9De3yq/CAmKjlefMxRf
tfvbdMkxuNjHGO/nY893dosb3999ZoM0R98XwF7FgwgajYqfED2cofUfsPLf+14A
dspSyNBXaxEW6YUCvq1JaFM1YhafGG2FceNH/ejSUv39jF4ZAnTWuujlKD/bi5T7
2FlhjSXzQdMVFjaSWZnaBgQtD0VuN6cQX27KXZ6vxqCGHjh6lZf4HNYa+nt9fFAq
DJ0MJxU0X8Sw06MO2cXVsamptzmvwKFhSr/I62uo8+0R+pvuw2M3z44GLNbAe1cS
utQSJlFR6VOJE2a5qA7Ile/Xaqgzb4tjfEK5ORWlZLpyUEVSuaQ9QosE2YMdiq1x
AVWMlXiPXXkVXXJqMDn4B929RDs74HkJyGIJg4pZ/Z62FYdXGdCtqnechJ8vw2lJ
uKFnUMAP2NMWnHR2sdE7b9HumNsUx//S0ugaD1nz+MAA5hzPU67hgX7BbK5ZL41F
rrbd1IeRu3c5tAnQCdrEYqwXheViyunqJerW2g8fy2zm5p+u7b3xIeyhNYUXIxC7
6ofofftJNRA4sFaVs/JxWym4ZdZ0gzzu3Lnp5yX1b8igNMM31pmbYIy6xgMPlVbv
buh621BC+bdquhyBNv8PB3EGgU3VSrG3/17d21r5NEE3lW8AOFBmkqyt37ZTEhrr
/d47/A/peWEvnBvdXt7GPPMypXF75HA/92o2CgSiAnScrrHFLKrIX0uSjztceOOR
52z+Q68D8RI+vBsBpUyVmMcf9EbGcxvDeY+ShH/+U3amPcLpsTVk80/oQT/UKmWR
WUNsh1MdJKrZ0TIhoyH6oMN4k8h7ggEC+Dlt9f6IXS0In7o+S6Ubop1284J5SrIR
2eGinUgfhbJuKO/qpUCxUven7PPBvmZRsKaBLZVwy1EJB19xP9BRBbL12zxdcVtO
TsR0swxSjSH2pfvwM86yjL1Y7SoBRt7VR4HIvjCA7lri87gJOwKZgqCHOvvX2v0v
lzkU5UHCuTbY9Nms37/lWJqSF103aiRms6JdHJP5xvtYJx1fC6As8/9AEVyWiPjn
Vx0WdAJC7htPxnCdcJGgzQaxFZDpaS/j3VPK6nbHzVqWC8OHuktuZ8VT5XQXE3vN
olLFjd4ItarST1ET/9u1TGzXECdZbmsI/3wtUfKupqsh6VKcmWBCXFLlfLLBBl+8
5QHpJQsA6IV8VfANnYt8ZBb8dTCrY8Dgxbz2b1rxiJgkncrpus/Zv2aN8SfNkpwr
KMgwlitJ4qLdj9DZjMcUzjR967uDUPlJRBjZR/5KtYpVxsd5UlCjh9wNmEO63gJ/
qKDeSWTWLaL60lZvodfCgM6OfiwYXXjICc/AYwwc4jEyprCCs+IQcjfPuL9DK2gY
J60DyLIu+IBpNDxqOYTMopauU7r6GePpe7HctvEyihm4oaB11WKUYTx3GdDeuY+t
TkAPpylPse6X9P/c8yIlTNxVAj05mlW1umBwkuSmNuw6EHAQlN90y+u4276uBzye
IlZ/596zXw0Lj5WgWMc+58p5XKmxryPdCEqMzBYnZ7S26dyN7qqk+3Ol5w5yOhfA
lCtYuljTPHj7Sxw0eUKrqCxf+I08wiQsdrrG6fPh+uktx2gZkuO9HWRRMuJUyH4e
up/Jyl6I2E5KIL8FOQKIGFnHKGPpmbs80ry83juRjEl/OVnV7G/sbJIneCKqjPME
mk/kVSr9p8Bb5motHfjlIeQZ2sX9sL8ZR21BO0JnVyMQmJKqsE7Eu/ytqZfYBFn1
tKQg2r1gkhD/YlDyuoO53lh4gl+GB3AeM9SdDAvRIw2OlQeOhFTZuN5AEM9FVyk2
0bjZSSqVfY0xvstin1IIKtkoB6ZzvBDhKFnf9GWAXil2FMZLcEgwnA46HfC4OG5W
oufataqUu6QDb45heLO+tbzQn8MKvmJy/2QxMvyqtKPRt4mIcJCx1IVoZNlh1rGf
TJoL6gB96InYkvNjqHATWGBzu3Z84DrDls3QCvLgkXlMIdquE3QsUOafddT+tpVZ
+WRJPwIz+2GtAgrLeji6lpU1k3eI/a53KkOuwYX2J+Bb3PgALkcWEJiE//2/87/5
QMKo89Sl+XQ4kA5G2uGfO/rtv66CLaaXj+c+Hz22HatsTzhOy/WjPrIC0CTaz+uc
l/t9a1aNk6XxgSfYcb5Hu/CpVvxAJI7OBDLutpGnga8Fa4Zpz93YAAmQn8H8vxBp
CAb+62Cvl0IkgvyYqXjcq/QMwTWyd/FwInYQphyVI8uGDCXkc/nZKv4ZYAgJ7bRh
ZDF4eALmUnBl50jg9NL3j0CvBbNV9Rw4ubdqFzqXeP4isFGardRBGvjnlgNI6ssx
Uu9oboOawcC+B2Fssgs2khFUoNbZDK/dByau/5n/AhhkgpnAgsM3IfBPuu+DDmiI
hFH5fXxpzNMsMDlj7F/FhdNQ2oiCeoa43vhPT3FORWLFoqVhJfm3TfMmNGBuGLV4
vq+3FI2QA1TJl7xSBRpj7lmxoOpdhbsNDE4/2vnjCbu1Aqlw5ZfIAzJRDjdIxeZ9
tSOrzTT5nShtCKyzlR+CxbZ4fGfq9GlV+LhhBVrQ+mnj+ZfcV8Pt2Ed6u3qrG0aA
/b/9cTVIV1Nq6s491/3rwSN0eAiQASLzLj9DmyzkFlvqQzMtfORkW7/CSxvD7A5g
NbeU4HGd87tDTGwcpiWddcfjRdwWPM7nuNVe+J/l/59ZchcbZOtF6TmkSg495AEd
ovDrPlgWh2czdHbVSikn1BvQQRCsl1qFFkcw00GDxuS3Rz8GoGI4yXaei0ClodPP
vmuU9zAnM3RZnnPaNBOtPdiqe0MiFgOptfkyzROxSkXhpFzKSo0wOB4DUSgUmyX2
dOi5NCxfL5N+eAJCsrXSq4FODWpo/irmpVg/H0Kf+GnW9I2qU4JJPNU=
=YE+T
-----END PGP MESSAGE-----