[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Mon Sep 12 12:46:02 EDT 2011 

#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by datallah):

 I guess how critical this depends on your perspective.

 This isn't an "over the wire" vulnerability.

 To exploit this problem, Pidgin has to be launched so that one of the
 potentially problematic DLLs is higher up in the search path than the
 expected DLL.

 There are 3 scenarios under which this could happen:
  * The machine has the system DLLs with replaced with hacked versions (in
 which case, all bets are off and the updated GTK+ will still be just as
 vulnerable).
  * The Path of the machine has been updated such that a file with the name
 of one of these DLLs is in the Path (once again, if your machine has
 hacked files in the Path, you have bigger problems).
  * You can trick Pidgin to launch from a location containing the
 vulnerable DLLs (the current directory will be in the Path).  This is the
 only situation that I think is worth worrying about.  Generally, this type
 of exploit would be done by making a link to a file in the same directory
 as the vulnerable DLL and asking Pidgin to open it.  Since Pidgin doesn't
 register any file types, this isn't an avenue that is really viable.

  Given the above, I don't believe that this really affects Pidgin without
 the end user doing something that is already problematic (e.g. running a
 batch file that modifies the path or changes to a wacky directory and then
 launches Pidgin), so I don't think it is necessary to release an update to
 specifically address this issue.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:4>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list