[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 15:26:20 EDT 2012

#14571: Win32 installer uses insecure GTK+ version
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  

Comment(by datallah):

 Replying to [comment:22 ioerror]:
 > Replying to [comment:18 datallah]:
 > > Replying to [comment:15 ioerror]:
 > > > It seems that I can indeed reach the remote png parser as expected.
 Isn't that the libpng png parser?
 > >
 > > Yes, it is reaching gdk-pixbuf and libpng; this wasn't really ever in
 > >
 > You originally wrote this and it is why I was erasing any doubt:
 > ''
 > "If you read my comments, I already explained why this is not critical.
 Just because a potential vulnerability exists in a particular library
 doesn't mean that it's possible to run into it our use case."
 > ''

 This was referring to CVE-2010-4831.

 > OK, well, I think we now both agree that it is possible; I'd like to
 suggest that it is critical to update GTK.

 It would be good to get libpng upgraded, however it's non-trivial. We
 avoid building our own dependencies (in the past this has been more
 problematic and difficult to support than using pre-build "official"
 binaries); [http://www.gtk.org/download/win32.php the GTK+ download site]
 doesn't have a new enough version of libpng, so we'd need to get them to
 supply an updated binary.

Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:25>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list