[Pidgin] #14571: Win32 installer uses insecure GTK+ version
Pidgin
trac at pidgin.im
Fri Aug 24 15:22:16 EDT 2012
#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
Reporter: sdierl | Owner: datallah
Type: defect | Status: new
Milestone: 3.0.0 | Component: winpidgin (gtk)
Version: 2.10.0 | Resolution:
Keywords: |
--------------------+-------------------------------------------------------
Comment(by ioerror):
I think waiting for pidgin 3.0.0 to upgrade GTK is a pretty dangerous
idea. GTK should be rebuilt for the current pidgin versions. It might
warrant a new release of pidgin proper because of GTK changes but it sure
seems like an updated GTK.zip should be produced in any case.
One of the issues with waiting until 3.0.0 is that the attack surface of a
totally new major pidgin changes things significantly. Upgrading
*everything* merely to stop users from using known buggy libraries is
likely to have other issues. This is how wordpress used to do security
fixes and it sure caused them a lot of problems. If somone wanted a patch,
they had to update to the newest wordpress version, which also came with
say, a bunch of new code that hadn't been audited. Upgrading users would
fix one known bug and get ten new ones. A bad paradigm for reducing attack
surface and certainly not a model worth emulating. :(
Also, if that is the path to an updated GTK/libpng/etc, regardless of net
pidgin attack surface, the library attack surface is still present until
the 3.0.0 release. It hasn't changed in over a year. I'd put my money on
stable exploits being around for these issues in private.
--
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:24>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list