[Pidgin] #15281: Gtk libraries dangerously out of date?

Pidgin trac at pidgin.im
Thu Aug 23 01:05:23 EDT 2012


#15281: Gtk libraries dangerously out of date?
----------------------+-----------------------------------------------------
 Reporter:  ioerror   |        Owner:  datallah       
     Type:  defect    |       Status:  new            
Milestone:            |    Component:  winpidgin (gtk)
  Version:  2.10.6    |   Resolution:                 
 Keywords:  security  |  
----------------------+-----------------------------------------------------

Comment(by abadidea):

 Was asked if I was seeing the same thing, I did a clean install of the
 current binary build for Windows and I can confirm that according to the
 DLL metadata:

 nss3.dll / ssl3.dll are 3.12.5.0 which is a few years out of date:
 ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/

 zlib1.dll is 1.2.2.0 which is extremely out of date: http://zlib.net/
 cites 1.2.3 as being in 2005. The embedded copyright is 1995-2004. I
 really want to believe that this is a build script error inserting the
 wrong version?? Because if not that is REALLY bad.

 libgtk-win32-2.0-0.dll is apparently actually 2.16.6.0 and the embedded
 copyright is 2005. http://www.gtk.org/download/win32.php says that 2.24 is
 the current stable.

 libpng does not have an embedded version but is named libpng14-14.dll
 which I take to be 1.4.14, which is... okay what is up with libpng's
 numbering scheme? There appear to be several concurrent number ranges? The
 most recent vuln warning for 1.4.x is 1.4.11 so I guess this one is okay.

 As ioerror points out, leaving libraries that handle network data to
 version decay can lead to very high exploitability risk...

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15281#comment:1>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list