[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 14:50:13 EDT 2012

#14571: Win32 installer uses insecure GTK+ version
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  

Comment(by ioerror):

 Replying to [comment:19 datallah]:
 > Replying to [comment:16 ioerror]:
 > > I changed the malformed png a bit:
 > <SNIP>
 > > It appears that this png doesn't get wiped from disk even though it is
 clearly malformed. Additionally, I only see those decode errors on the
 Windows Pidgin, I do not see them on the Ubuntu Pidgin. I think that means
 that I am hitting the GTK libs that are vulnerable, perhaps?
 > The fact that the file is still there there isn't a problem; it's just a
 cached value of what the server sent; we wouldn't want to re-download the
 same data.

 Well, pidgin gets rid of it in one case but not in another. Why the
 difference? It seems like in one case, pidgin removes the image because it
 is bad; the other case pidgin also has errors but keeps it around. Keeping
 it on disk may make attacking the image library even easier.

Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:23>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list