[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 16:24:45 EDT 2012 

#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by datallah):

 Replying to [comment:27 ioerror]:
 > Ah, well, I guess we could a new CVE to reference pidgin shipping the
 old GTK libs and that would clear it up. Shall I request one for this?

 I don't see why we need a CVE for this; we haven't done that for this type
 of thing in the past. There's a CVE for each of the issues in libpng
 already.  There's no need to coordinate anything with any downstream
 distributions or supply a patch.

 > > It would be good to get libpng upgraded, however it's non-trivial.
 >
 > Well unless I'm mistaken, which I admit is more than likely, I think
 that a lot more than libpng needs to be upgraded.

 If there are other things, we may be able to update them too - I didn't
 see anything in the list that I thought was necessary in the list you
 posted.

 > libpng seems the most easy and relevant thing to upgrade. Why not
 rebuild it and replace it in the .zip file that pidgin hosts? That seems
 like the most simple thing unless libpng actually changed in serious ways.

 Like I said, I would like to avoid building dependencies.

 > Sure, this is yet another way forward. It seems like it won't go very
 quickly. Is there a security contact at the gtk project that will help us?

 The win32 side of the GTK+ project is understaffed; the long time win32
 maintainer retired from the project a couple years ago and I don't know if
 someone else has really taken over.

 I would file a ticket in bugzilla requesting that a newer libpng binary be
 distributed.

 I guess I'm not worried if this takes a little while; this isn't a new
 issue and the world will not end if it isn't resolved immediately.

 > Alternatively, I think pidgin could build and ship the required GTK
 libraries. Is the full build process for the required libraries documented
 somewhere?

 That's a question for the GTK+ folks, but as I said, I'd rather not go
 down this path.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:29>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list