[Pidgin] #14571: Win32 installer uses insecure GTK+ version

Pidgin trac at pidgin.im
Fri Aug 24 16:48:21 EDT 2012 

#14571: Win32 installer uses insecure GTK+ version
--------------------+-------------------------------------------------------
 Reporter:  sdierl  |        Owner:  datallah       
     Type:  defect  |       Status:  new            
Milestone:  3.0.0   |    Component:  winpidgin (gtk)
  Version:  2.10.0  |   Resolution:                 
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by datallah):

 Replying to [comment:28 ioerror]:
 > Indeed, one could make that argument for the GTK code as well as Pidgin.
 That is why many projects backport security fixes. I assume that if pidgin
 doesn't have time to recompile GTK and ship it, backporting fixes is out
 of the question; that seems reasonable and it's why I'd advocate for
 shipping the latest GTK - no time to test, no time to backport; just ship
 the latest code and fix the Pidgin code to reflect that lack of time on
 the GTK side.

 You haven't had to deal with the regressions that we've had almost every
 time we've updated GTK+ or you wouldn't be advocating that path.


 > I'm advocating updating the GTK stack because as I said in #15282 - it's
 not just old, it has a dozen or more CVEs. It's not just old, it's
 vulnerable and sometimes the code is vulnerable, reachable in Pidgin and
 has *published* exploit code for the vulnerable library code. That is why
 updating GTK is a good idea - to protect the windows users who are
 otherwise vulnerable because of the GTK libs that pidgin requires.
 Obviously, it's all half measures as the entire GTK library code is
 downloaded over HTTP (see my bug #15277 about that issue) anyway but the
 threat I'm worried about in this bug is remote code execution, denial of
 service, and so on.

 > >GTK+ on Windows is not used very much and frequently things are broken
 that nobody notices for a long >time.  There are even things that are
 broken if you try to run Pidgin 2.10.6 on GTK+ 2.24.10 - you can >try it
 and see if you like.
 >
 > It's broken, period.

 Not isn't, it mostly works, but there are issues with focus and the system
 tray icon IIRC.

 > My original bug was about fixing the specifics issues with GTK, it was
 closed as a dupe; so now I'm posting here to say that each of the
 vulnerable components should be updated. Ideally without having to produce
 a working exploit for each one, I hope.

 I didn't ask you to provide an exploit for the libpng thing - from the
 start, I acknowledged that we were probably vulnerable.  I don't think
 it's necessary to provide exploits - from the type of CVE we should be
 able to tell if it is a problem for us or not.

 > > If there are specific issues that necessitate an update (e.g. this
 libpng issue), we can update that particular component (as I'm willing to
 do when we can get a newer official binary), but to update the whole stack
 requires a lot of testing, and I don't foresee having time to do that soon
 (nor do I see a good reason to do so).
 >
 > Every item with a CVE in #15281 should be assumed to be reachable and
 anything less seems irresponsible. I mean, we're not talking about 0day
 here, which pidgin is rumored to have lots of, we're talking about 600+day
 vulns here.

 I disagree.  Just because there is a potential issue in a library which
 Pidgin uses doesn't mean that it's a problem for Pidgin's usage of the
 library.
 If it were easy to just update everything, then sure, that would be the
 easy fix - however, since that isn't the situation, we can examine the
 vulnerabilities and make an evaluation of whether or not it's going to be
 a problem for how we use it.

 > Moving forward here: How do we build a full gtk.zip file from scratch,
 so we don't have to rely on gtk's builds for security issues?

 I pointed you to the script that "builds" the gtk.zip we distribute in one
 of the comments on this ticket - it is just a repackaging of the binaries
 from gtk.org.

 As far as how the gtk.org binaries are built, I don't offhand know how
 they're built.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14571#comment:31>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list