Security Bug due to Unchecked use of GnuTLS function

Yuan Jochen Kang yjk2106 at columbia.edu
Thu Apr 21 01:12:56 EDT 2016


Hi Ethan,

You can request a CVE when you're ready.

The summary:
x509 certificates may be improperly imported.
Such case occurs when GnuTLS is used, and the x509 certificate could not be
initialized, for example due to a memory failure. The initialization
failure is not handled, and the invalid certificate is silently propagated.

The people involved:
Baishakhi Ray from the University of Virginia, and Suman Jana and myself
from Columbia University.

Feel free to ask me for any additional information.

Thanks,
Yuan

On Tue, Apr 19, 2016 at 9:10 AM, Ethan Blanton <elb at pidgin.im> wrote:

> Yuan Jochen Kang spake unto us the following wisdom:
> > Yes, I agree with your assessment.
>
> Great.  We will hopefully get this out in the next few weeks (say, by
> the end of May?) as a coordinated release.
>
> Would you like us to request a CVE for this, or would you?  If you
> would like us to request it, we will need the relevant information
> from you (how you would like to be credited, a brief summary, etc.).
> If you would like to request it, please coordinate with us to ensure
> that the embargo is correct.
>
> Thanks for helping us make libpurple better!
>
> Ethan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160421/962109f3/attachment.html>


More information about the security mailing list