[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Thu Aug 23 20:13:01 EDT 2012

#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by datallah):

 You misunderstood what I wrote; the "vulnerable" DLL is used, of course,
 just not in a way that would be impacted by the vulnerability.

 I guess part of the confusion is that the scope of this is being expanded
 from the original report, which only referred to CVE-2010-4831.

 Looking at some of the things mentioned to in #15281, see
 https://bitbucket.org/pidgin/main/src/release-2.x.y/pidgin/win32/nsis/generate_gtk_zip.sh#cl-19
 for the actual versions of the dependencies that are being used.
  * !FreeType: This isn't actually used by Pidgin directly, but some
 plugins use it (guifications for one). Requires problematic font to be
 installed to be problematic.
  * Expat: This isn't used to parse xml by pidgin itself (we use libxml2
 for that) and consequently doesn't parse any remote data. It's used by the
 GTK+ stack internally, IIRC only for fontconfig/freetype.
  * Zlib: We're using zlib 1.2.3, not 1.2.2.
  * libpng: Some of these are probably potential problems.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:11>
Pidgin <http://pidgin.im>
Pidgin