libpurple gadu-gadu issues

Mark Doliner mark at kingant.net
Thu Oct 16 02:35:27 EDT 2014


Alright, here's my thinking: We won't be requesting CVE numbers for
these three issues or announcing them as security vulnerabilities.

For the 2nd issue, Lukas, yes, you're right, this is basically as
described in example 3 at
http://cwe.mitre.org/data/definitions/400.html  Yes, ideally Pidgin
would intelligently limit its resource usage. But this is a hard
problem to solve. For one thing our protocols all have a lot of
functionality and exchange a large number of different messages with
the server--that's a lot of different things to place limits on. And
where should we draw the line on how much is too much? Certainly there
should be SOME limit on resource usage, and we should work on that in
the future, but for now this doesn't feel critical enough to treat as
a security problem.

For the 3rd issue, I also don't see a buffer overflow. I think we're ok here.

Thanks again for reporting these problems to us, Lukas! And sorry it's
taken us over a year to wrap up this email thread. FYI we're planning
a release next week that I think fixes the 1st and 3rd. And the 2nd
will need more work in the future.

Thanks,
Mark


More information about the security mailing list