Security Bug due to Unchecked use of GnuTLS function

Yuan Jochen Kang yjk2106 at
Thu Apr 21 01:12:56 EDT 2016

Hi Ethan,

You can request a CVE when you're ready.

The summary:
x509 certificates may be improperly imported.
Such case occurs when GnuTLS is used, and the x509 certificate could not be
initialized, for example due to a memory failure. The initialization
failure is not handled, and the invalid certificate is silently propagated.

The people involved:
Baishakhi Ray from the University of Virginia, and Suman Jana and myself
from Columbia University.

Feel free to ask me for any additional information.


On Tue, Apr 19, 2016 at 9:10 AM, Ethan Blanton <elb at> wrote:

> Yuan Jochen Kang spake unto us the following wisdom:
> > Yes, I agree with your assessment.
> Great.  We will hopefully get this out in the next few weeks (say, by
> the end of May?) as a coordinated release.
> Would you like us to request a CVE for this, or would you?  If you
> would like us to request it, we will need the relevant information
> from you (how you would like to be credited, a brief summary, etc.).
> If you would like to request it, please coordinate with us to ensure
> that the embargo is correct.
> Thanks for helping us make libpurple better!
> Ethan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list