PGP key for vulnerability reports

Rich Johnson (richjoh) richjoh at
Wed Jan 22 15:39:21 EST 2014

Great, thanks for the update Mark. Did we manage to get credit merged so everyone shows up on the combined CVE? They're all a similar class of vulnerability but in different components so it seems a little unusual to merge them. I'm fine with that decision, I just want to make sure my guys get credited appropriately.  

Rich Johnson  

-----Original Message-----
From: Mark Doliner [mailto:mark at] 
Sent: Wednesday, January 22, 2014 3:18 AM
To: Richard Johnson
Cc: Rich Johnson (richjoh); Pidgin Security; Yves Younan; VRT-vulndev (vrt-vulndev at
Subject: Re: PGP key for vulnerability reports

Hi again. Just wanted to share some info. The embargo date is set:
Tuesday 2013-01-28 at 07:00 PST, 10:00 EST, 15:00 UTC.

We'll be releasing Pidgin 2.10.8 at that time. And we have two CVEs for the bugs you found.

- Pidgin uses clickable links to untrusted executables

Used for three similar but different issues:
- Buffer overflow in Gadu-Gadu HTTP parsing
- Buffer overflow in MXit emoticon parsing
- Buffer overflow in SIMPLE header parsing

More information about the security mailing list