[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 15:22:16 EDT 2012

#14571: Win32 installer uses insecure GTK+ version
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  

Comment(by ioerror):

 I think waiting for pidgin 3.0.0 to upgrade GTK is a pretty dangerous
 idea. GTK should be rebuilt for the current pidgin versions. It might
 warrant a new release of pidgin proper because of GTK changes but it sure
 seems like an updated GTK.zip should be produced in any case.

 One of the issues with waiting until 3.0.0 is that the attack surface of a
 totally new major pidgin changes things significantly. Upgrading
 *everything* merely to stop users from using known buggy libraries is
 likely to have other issues. This is how wordpress used to do security
 fixes and it sure caused them a lot of problems. If somone wanted a patch,
 they had to update to the newest wordpress version, which also came with
 say, a bunch of new code that hadn't been audited. Upgrading users would
 fix one known bug and get ten new ones. A bad paradigm for reducing attack
 surface and certainly not a model worth emulating. :(

 Also, if that is the path to an updated GTK/libpng/etc, regardless of net
 pidgin attack surface, the library attack surface is still present until
 the 3.0.0 release. It hasn't changed in over a year. I'd put my money on
 stable exploits being around for these issues in private.

Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:24>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list