Security Bug due to Unchecked use of GnuTLS function
Yuan Jochen Kang
yjk2106 at columbia.edu
Thu Apr 21 01:12:56 EDT 2016
You can request a CVE when you're ready.
x509 certificates may be improperly imported.
Such case occurs when GnuTLS is used, and the x509 certificate could not be
initialized, for example due to a memory failure. The initialization
failure is not handled, and the invalid certificate is silently propagated.
The people involved:
Baishakhi Ray from the University of Virginia, and Suman Jana and myself
from Columbia University.
Feel free to ask me for any additional information.
On Tue, Apr 19, 2016 at 9:10 AM, Ethan Blanton <elb at pidgin.im> wrote:
> Yuan Jochen Kang spake unto us the following wisdom:
> > Yes, I agree with your assessment.
> Great. We will hopefully get this out in the next few weeks (say, by
> the end of May?) as a coordinated release.
> Would you like us to request a CVE for this, or would you? If you
> would like us to request it, we will need the relevant information
> from you (how you would like to be credited, a brief summary, etc.).
> If you would like to request it, please coordinate with us to ensure
> that the embargo is correct.
> Thanks for helping us make libpurple better!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security