Security Bug due to Unchecked use of GnuTLS function

Yuan Jochen Kang yjk2106 at
Sun Jul 17 15:12:22 EDT 2016

Hi Ethan,

I wanted to check with you on the status of the CVE request.


On Thu, Apr 21, 2016 at 1:12 AM, Yuan Jochen Kang <yjk2106 at>

> Hi Ethan,
> You can request a CVE when you're ready.
> The summary:
> x509 certificates may be improperly imported.
> Such case occurs when GnuTLS is used, and the x509 certificate could not
> be initialized, for example due to a memory failure. The initialization
> failure is not handled, and the invalid certificate is silently propagated.
> The people involved:
> Baishakhi Ray from the University of Virginia, and Suman Jana and myself
> from Columbia University.
> Feel free to ask me for any additional information.
> Thanks,
> Yuan
> On Tue, Apr 19, 2016 at 9:10 AM, Ethan Blanton <elb at> wrote:
>> Yuan Jochen Kang spake unto us the following wisdom:
>> > Yes, I agree with your assessment.
>> Great.  We will hopefully get this out in the next few weeks (say, by
>> the end of May?) as a coordinated release.
>> Would you like us to request a CVE for this, or would you?  If you
>> would like us to request it, we will need the relevant information
>> from you (how you would like to be credited, a brief summary, etc.).
>> If you would like to request it, please coordinate with us to ensure
>> that the embargo is correct.
>> Thanks for helping us make libpurple better!
>> Ethan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list