Security Bug due to Unchecked use of GnuTLS function
Yuan Jochen Kang
yjk2106 at columbia.edu
Sun Jul 17 15:12:22 EDT 2016
Hi Ethan,
I wanted to check with you on the status of the CVE request.
Thanks,
Yuan
On Thu, Apr 21, 2016 at 1:12 AM, Yuan Jochen Kang <yjk2106 at columbia.edu>
wrote:
> Hi Ethan,
>
> You can request a CVE when you're ready.
>
> The summary:
> x509 certificates may be improperly imported.
> Such case occurs when GnuTLS is used, and the x509 certificate could not
> be initialized, for example due to a memory failure. The initialization
> failure is not handled, and the invalid certificate is silently propagated.
>
> The people involved:
> Baishakhi Ray from the University of Virginia, and Suman Jana and myself
> from Columbia University.
>
> Feel free to ask me for any additional information.
>
> Thanks,
> Yuan
>
> On Tue, Apr 19, 2016 at 9:10 AM, Ethan Blanton <elb at pidgin.im> wrote:
>
>> Yuan Jochen Kang spake unto us the following wisdom:
>> > Yes, I agree with your assessment.
>>
>> Great. We will hopefully get this out in the next few weeks (say, by
>> the end of May?) as a coordinated release.
>>
>> Would you like us to request a CVE for this, or would you? If you
>> would like us to request it, we will need the relevant information
>> from you (how you would like to be credited, a brief summary, etc.).
>> If you would like to request it, please coordinate with us to ensure
>> that the embargo is correct.
>>
>> Thanks for helping us make libpurple better!
>>
>> Ethan
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160717/d7492577/attachment.html>
More information about the security
mailing list