[Pidgin] #7130: The Pidgin project is distributing an outdated/insecure GTK+ runtime

Pidgin trac at pidgin.im
Thu Sep 18 22:38:50 EDT 2008 

#7130: The Pidgin project is distributing an outdated/insecure GTK+ runtime
---------------------------+------------------------------------------------
 Reporter:  aloishammer    |        Owner:  datallah       
     Type:  defect         |       Status:  pending        
Milestone:                 |    Component:  winpidgin (gtk)
  Version:  2.5.1          |   Resolution:                 
 Keywords:  security gtk+  |  
---------------------------+------------------------------------------------
Changes (by aloishammer):

  * status:  pending => new


Comment:

 Replying to [comment:2 datallah]:
 > As a side note, we're planning to upgrade to GTK+ 2.12.12 with libpng
 1.2.29 and freetype 2.3.6 (we're using the latest release of libtiff) with
 the next release.

 Here's two good reasons to use the most *recent* stable release of libpng
 instead, or even an unstable release:

 http://secunia.com/advisories/product/3439/?task=advisories_2008

 Here's a libtiff vuln that's not even patched yet:

 http://secunia.com/advisories/product/4053/?task=advisories_2008

 Best advice: start looking for advisories for other dependencies, and
 disable libtiff for now unless there's no way to exploit it remotely
 (again, via buddy icons, say).

 Pidgin-Win32 appears to be fine with either GTK+ 2.16 or 2.18.  I've been
 testing with 2.16 for months, and 2.18 since the binaries were released on
 ftp.gnome.org.  Updated glib, too.

 No vulns reported for GTK+ in the last while, but here are two tasty glib
 vulns for 2008, one that affects up through 2.14.5, and one up through
 2.16.3:

 http://secunia.com/advisories/product/17585/?task=advisories_2008

 At a guess-- I don't see the point in doing additional research on the
 topic right now --there are at least six to eight remotely exploitable
 vulns in Pidgin 2.5.1 for Win32 as currently distributed, unless you spend
 a fair amount of time manually overwriting the DLLs placed in
 %CommonProgramFiles% by the installer.

 I don't know what portion of your user base uses Pidgin-Win32 instead of
 libpurple on OSX or UNIX, but it includes me (although I use Pidgin on
 Linux by choice), so I have a vested interest in seeing regular updates of
 the GTK+ installer-- at the rate of bugs being reported in GTK+, glib, and
 dependencies, I'd say at least once or twice every quarter.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/7130#comment:3>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list