[Pidgin] #14571: Win32 installer uses insecure GTK+ version
Pidgin
trac at pidgin.im
Fri Aug 24 15:52:47 EDT 2012
#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
Reporter: sdierl | Owner: datallah
Type: defect | Status: new
Milestone: 3.0.0 | Component: winpidgin (gtk)
Version: 2.10.0 | Resolution:
Keywords: |
--------------------+-------------------------------------------------------
Comment(by ioerror):
Replying to [comment:25 datallah]:
> Replying to [comment:22 ioerror]:
> > Replying to [comment:18 datallah]:
> > > Replying to [comment:15 ioerror]:
> <SNIP>
> > > > It seems that I can indeed reach the remote png parser as
expected. Isn't that the libpng png parser?
> > >
> > > Yes, it is reaching gdk-pixbuf and libpng; this wasn't really ever
in doubt.
> > >
> >
> > You originally wrote this and it is why I was erasing any doubt:
> > ''
> > "If you read my comments, I already explained why this is not
critical. Just because a potential vulnerability exists in a particular
library doesn't mean that it's possible to run into it our use case."
> > ''
>
> This was referring to CVE-2010-4831.
Ah, well, I guess we could a new CVE to reference pidgin shipping the old
GTK libs and that would clear it up. Shall I request one for this?
> > OK, well, I think we now both agree that it is possible; I'd like to
suggest that it is critical to update GTK.
> >
>
> It would be good to get libpng upgraded, however it's non-trivial.
Well unless I'm mistaken, which I admit is more than likely, I think that
a lot more than libpng needs to be upgraded. libpng seems the most easy
and relevant thing to upgrade. Why not rebuild it and replace it in the
.zip file that pidgin hosts? That seems like the most simple thing unless
libpng actually changed in serious ways.
>We avoid building our own dependencies (in the past this has been more
problematic and difficult to support than using pre-build "official"
binaries); [http://www.gtk.org/download/win32.php the GTK+ download site]
doesn't have a new enough version of libpng, so we'd need to get them to
supply an updated binary.
Sure, this is yet another way forward. It seems like it won't go very
quickly. Is there a security contact at the gtk project that will help us?
Alternatively, I think pidgin could build and ship the required GTK
libraries. Is the full build process for the required libraries documented
somewhere?
--
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:27>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list