mxit libpurple protocol

Andrew Victor andrew.victor at mxit.com
Thu May 12 02:52:00 EDT 2016 

hi,

I have committed patches for all these issues to:
   ssh://hg@hg.pidgin.im/private/talos-2016-04-14

It's probably best to use the patches in the root directory since they
should be applied in sequence:
  01-validate_mood.patch
  02-table_markup_strsplit.patch
  03-table_markup_missing_fields.patch
  04-splash_filename_escape.patch
  05-stage3_read_error.patch
  06-font_color_tag.patch
  07-multimix_nickname.patch
  08-packet_starts_with_NULL.patch
  09-profile_missing_fields.patch
  10-suggestcontacts_missing_fields.patch
  11-chunk_unsigned.patch
  12.1-chunk_decoding_errors.patch
  12.2-chunk_header.patch
  12.3-getfile_chunk.patch
  13.1-http_post_snprintf.patch
  13.2-scnprintf.patch
  14-http_content_length_unsigned.patch
  15-chunk_decoding.patch

Those match to:
  00. TALOS-CAN-0122        -- Protocol issue (not libPurple issue)
  01. TALOS-CAN-0141        -- Validate mood
  02. TALOS-CAN-0134        -- Table markup - g_strsplit
  03. TALOS-CAN-0133        -- Table markup - missing required fields
  04. TALOS-CAN-0128        -- Splash screen
  05. TALOS-CAN-0118        -- Stage 3 read error
  06. TALOS-CAN-0123        -- Font Color
  07. TALOS-CAN-0142        -- MultiMx nickname
  08. TALOS-CAN-0137        -- CMD decoding
  09. TALOS-CAN-0139        -- Profile fields
  10. TALOS-CAN-0143        -- Search fields
  11. TALOS-CAN-0120        -- Chunk unsigned data-types
  12. TALOS-CAN-0140        -- GetFile Chunk OOB
  13. TALOS-CAN-0136        -- g_snprintf
  14. TALOS-CAN-0119        -- HTTP Content-Length
  15. TALOS-CAN-0138,        -- Custom Resource Chunk OOB
        TALOS-CAN-0135        -- Avatar Chunk OOB

If somebody has time to review the changes, that would be much appreciated.


Regards,
  Andrew Victor





On Sun, May 1, 2016 at 7:12 PM, Ethan Blanton <elb at pidgin.im> wrote:

> Andrew Victor spake unto us the following wisdom:
> > That is correct, the following are outstanding:
> >
> > TALOS-CAN-0119      -- HTTP Content-Length
> > TALOS-CAN-0136      -- g_snprintf
> > TALOS-CAN-0135      -- Avatar Chunk OOB
> > TALOS-CAN-0138      -- Custom Resource Chunk OOB
> > TALOS-CAN-0140      -- GetFile Chunk OOB
> >
> > I don't have an ETA for them yet - but an working on when I get time.
> >
> > What date did TALOS report them?  ie, when is the 60 days?
>
> April 14.  But in order to meet the 60 days with coordinated release,
> we'll have to have all of the fixes ready quite a bit in advance -- a
> couple of weeks, anyway.
>
> We can also ask for an extension, but I didn't get a clear answer on
> how flexible they are about those 60 days.
>
> We have one other security-related fix (not in mxit) we have to get
> in, too, for which there is currently no patch.
>
> Ethan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160512/449cf331/attachment.html>

More information about the security mailing list