[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 15:34:59 EDT 2012 

#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by datallah):

 Replying to [comment:24 ioerror]:
 > I think waiting for pidgin 3.0.0 to upgrade GTK is a pretty dangerous
 idea. GTK should be rebuilt for the current pidgin versions. It might
 warrant a new release of pidgin proper because of GTK changes but it sure
 seems like an updated GTK.zip should be produced in any case.
 >
 > One of the issues with waiting until 3.0.0 is that the attack surface of
 a totally new major pidgin changes things significantly. Upgrading
 *everything* merely to stop users from using known buggy libraries is
 likely to have other issues. This is how wordpress used to do security
 fixes and it sure caused them a lot of problems. If somone wanted a patch,
 they had to update to the newest wordpress version, which also came with
 say, a bunch of new code that hadn't been audited. Upgrading users would
 fix one known bug and get ten new ones. A bad paradigm for reducing attack
 surface and certainly not a model worth emulating. :(

 The same "bunch of new code" argument could be made about the GTK+ stack.

 > Also, if that is the path to an updated GTK/libpng/etc, regardless of
 net pidgin attack surface, the library attack surface is still present
 until the 3.0.0 release. It hasn't changed in over a year. I'd put my
 money on stable exploits being around for these issues in private.

 Updating the GTK+ stack "because it's old" is not a good idea.  GTK+ on
 Windows is not used very much and frequently things are broken that nobody
 notices for a long time.  There are even things that are broken if you try
 to run Pidgin 2.10.6 on GTK+ 2.24.10 - you can try it and see if you like.

 If there are specific issues that necessitate an update (e.g. this libpng
 issue), we can update that particular component (as I'm willing to do when
 we can get a newer official binary), but to update the whole stack
 requires a lot of testing, and I don't foresee having time to do that soon
 (nor do I see a good reason to do so).

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:26>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list