[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 16:38:26 EDT 2012 

#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by ioerror):

 Replying to [comment:29 datallah]:
 > Replying to [comment:27 ioerror]:
 > > Ah, well, I guess we could a new CVE to reference pidgin shipping the
 old GTK libs and that would clear it up. Shall I request one for this?
 >
 > I don't see why we need a CVE for this; we haven't done that for this
 type of thing in the past. There's a CVE for each of the issues in libpng
 already.  There's no need to coordinate anything with any downstream
 distributions or supply a patch.
 >

 Pidgin with these GTK libs is a flock of 365day flying in formation at the
 moment. That is why - everyone who installed Pidgin on Windows is
 vulnerable to the libpng bugs at the very least, almost certainly other
 bugs will impact those users.

 > > > It would be good to get libpng upgraded, however it's non-trivial.
 > >
 > > Well unless I'm mistaken, which I admit is more than likely, I think
 that a lot more than libpng needs to be upgraded.
 >
 > If there are other things, we may be able to update them too - I didn't
 see anything in the list that I thought was necessary in the list you
 posted.

 I'm guessing the xml parser is probably also a problem. Then again,
 libxml2 is also in play... Turtles... everywhere.

 >
 > > libpng seems the most easy and relevant thing to upgrade. Why not
 rebuild it and replace it in the .zip file that pidgin hosts? That seems
 like the most simple thing unless libpng actually changed in serious ways.
 >
 > Like I said, I would like to avoid building dependencies.

 I don't think that is reasonable. After more than a year of leaving users
 vulnerable, I think building this code and shipping it, over SSL at that,
 is a much better way forward.

 >
 > > Sure, this is yet another way forward. It seems like it won't go very
 quickly. Is there a security contact at the gtk project that will help us?
 >
 > The win32 side of the GTK+ project is understaffed; the long time win32
 maintainer retired from the project a couple years ago and I don't know if
 someone else has really taken over.
 >

 That's too bad. Though I suspect GTK builds just fine, it just needs a new
 build and a release, right?

 > I would file a ticket in bugzilla requesting that a newer libpng binary
 be distributed.
 >

 Did you? Or do you mean, I should?

 > I guess I'm not worried if this takes a little while; this isn't a new
 issue and the world will not end if it isn't resolved immediately.

 So, without sounding hostile, I wonder what you mean that it isn't the end
 of the world? Does someone have to upload a working libpng exploit that
 executes arbitrary code for this to be taken seriously?

 > > Alternatively, I think pidgin could build and ship the required GTK
 libraries. Is the full build process for the required libraries documented
 somewhere?
 >
 > That's a question for the GTK+ folks, but as I said, I'd rather not go
 down this path.

 Huh? GTK+ folks don't actually know if pidgin can build and ship GTK. That
 question is squarely for pidgin developers. Is the build process
 documented somewhere? Or has pidgin never built the win32 gtk libs, never
 tried, and they won't start now?

 If GTK won't fix it and you guys won't fix it - it seems unreasonable to
 ship it.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:30>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list