[Pidgin] #14571: Win32 installer uses insecure GTK+ version
Pidgin
trac at pidgin.im
Fri Aug 24 14:50:13 EDT 2012
#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
Reporter: sdierl | Owner: datallah
Type: defect | Status: new
Milestone: 3.0.0 | Component: winpidgin (gtk)
Version: 2.10.0 | Resolution:
Keywords: |
--------------------+-------------------------------------------------------
Comment(by ioerror):
Replying to [comment:19 datallah]:
> Replying to [comment:16 ioerror]:
> > I changed the malformed png a bit:
>
> <SNIP>
>
> > It appears that this png doesn't get wiped from disk even though it is
clearly malformed. Additionally, I only see those decode errors on the
Windows Pidgin, I do not see them on the Ubuntu Pidgin. I think that means
that I am hitting the GTK libs that are vulnerable, perhaps?
>
> The fact that the file is still there there isn't a problem; it's just a
cached value of what the server sent; we wouldn't want to re-download the
same data.
Well, pidgin gets rid of it in one case but not in another. Why the
difference? It seems like in one case, pidgin removes the image because it
is bad; the other case pidgin also has errors but keeps it around. Keeping
it on disk may make attacking the image library even easier.
--
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:23>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list