[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 15:52:47 EDT 2012 

#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by ioerror):

 Replying to [comment:25 datallah]:
 > Replying to [comment:22 ioerror]:
 > > Replying to [comment:18 datallah]:
 > > > Replying to [comment:15 ioerror]:
 > <SNIP>
 > > > > It seems that I can indeed reach the remote png parser as
 expected. Isn't that the libpng png parser?
 > > >
 > > > Yes, it is reaching gdk-pixbuf and libpng; this wasn't really ever
 in doubt.
 > > >
 > >
 > > You originally wrote this and it is why I was erasing any doubt:
 > > ''
 > > "If you read my comments, I already explained why this is not
 critical. Just because a potential vulnerability exists in a particular
 library doesn't mean that it's possible to run into it our use case."
 > > ''
 >
 > This was referring to CVE-2010-4831.

 Ah, well, I guess we could a new CVE to reference pidgin shipping the old
 GTK libs and that would clear it up. Shall I request one for this?

 > > OK, well, I think we now both agree that it is possible; I'd like to
 suggest that it is critical to update GTK.
 > >
 >
 > It would be good to get libpng upgraded, however it's non-trivial.

 Well unless I'm mistaken, which I admit is more than likely, I think that
 a lot more than libpng needs to be upgraded. libpng seems the most easy
 and relevant thing to upgrade. Why not rebuild it and replace it in the
 .zip file that pidgin hosts? That seems like the most simple thing unless
 libpng actually changed in serious ways.

 >We avoid building our own dependencies (in the past this has been more
 problematic and difficult to support than using pre-build "official"
 binaries); [http://www.gtk.org/download/win32.php the GTK+ download site]
 doesn't have a new enough version of libpng, so we'd need to get them to
 supply an updated binary.

 Sure, this is yet another way forward. It seems like it won't go very
 quickly. Is there a security contact at the gtk project that will help us?

 Alternatively, I think pidgin could build and ship the required GTK
 libraries. Is the full build process for the required libraries documented
 somewhere?

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:27>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list