[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Thu Aug 23 19:22:51 EDT 2012


#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by ioerror):

 I did read your comments and I am asking a question that has not been
 previously asked. It is still un-addressed:

 Is there an assertion that none of the vulnerable .dll code is used
 *anywhere* by *anything*?

 If so, why not remove the unused .dll files?

 If I had a newer dll version locally, yes, I realize that Pidgin *might*
 load it. However, I don't have a newer version locally, that is why I
 installed the version provided by the Pidgin installer. It was surprising
 that it wasn't as current a build as the rest of Pidgin.

 Furthermore, when you say it isn't an over the wire vulnerability, how
 exactly is Pidgin decoding my buddy's PNG icon if not with the libpng code
 in the .dll?

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:10>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list