[Pidgin] #14571: Win32 installer uses insecure GTK+ version
Pidgin
trac at pidgin.im
Fri Aug 24 15:26:20 EDT 2012
#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
Reporter: sdierl | Owner: datallah
Type: defect | Status: new
Milestone: 3.0.0 | Component: winpidgin (gtk)
Version: 2.10.0 | Resolution:
Keywords: |
--------------------+-------------------------------------------------------
Comment(by datallah):
Replying to [comment:22 ioerror]:
> Replying to [comment:18 datallah]:
> > Replying to [comment:15 ioerror]:
<SNIP>
> > > It seems that I can indeed reach the remote png parser as expected.
Isn't that the libpng png parser?
> >
> > Yes, it is reaching gdk-pixbuf and libpng; this wasn't really ever in
doubt.
> >
>
> You originally wrote this and it is why I was erasing any doubt:
> ''
> "If you read my comments, I already explained why this is not critical.
Just because a potential vulnerability exists in a particular library
doesn't mean that it's possible to run into it our use case."
> ''
This was referring to CVE-2010-4831.
> OK, well, I think we now both agree that it is possible; I'd like to
suggest that it is critical to update GTK.
>
It would be good to get libpng upgraded, however it's non-trivial. We
avoid building our own dependencies (in the past this has been more
problematic and difficult to support than using pre-build "official"
binaries); [http://www.gtk.org/download/win32.php the GTK+ download site]
doesn't have a new enough version of libpng, so we'd need to get them to
supply an updated binary.
--
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:25>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list