[Pidgin] #15286: Master bug for old libraries in Windows Pidgin build

Sun Aug 26 00:47:31 EDT 2012

#15286: Master bug for old libraries in Windows Pidgin build
----------------------+-----------------------------------------------------
 Reporter:  ioerror   |        Owner:  datallah       
     Type:  defect    |       Status:  new            
Milestone:            |    Component:  winpidgin (gtk)
  Version:  2.10.6    |   Resolution:                 
 Keywords:  security  |  
----------------------+-----------------------------------------------------

Comment(by ioerror):

 Replying to [comment:5 datallah]:
 > Replying to [comment:4 ioerror]:
 >
 > > exchndl.dll appears to be the Crash Reporting Library (
 http://developer.pidgin.im/static/win32/pidgin-inst-deps-20100315.tar.gz).
 I think the source for that dll is from
 http://pidgin.im/~datallah/exchndl.c - is that the code for the exception
 handler/Crash Reporter? If so, is it actually free software? Either way -
 according to the author of MSJExceptionHandler, it was replaced by
 WheatyExceptionReport ( http://www.wheaty.net/Columns.htm ) in 2002 (
 http://bwmangos.googlecode.com/svn/trunk/src/shared/WheatyExceptionReport.cpp
 ). Furthermore, it appears that it is pretty unsafe in general:
 > > {{{
 > > exchndl.dll
 > > }}}
 >
 > Yes, that's the crash report generator.
 > It isn't actually MSJExceptionHandler, but I guess that was an
 inspiration or something.
 >

 Ok but is the code http://pidgin.im/~datallah/exchndl.c or something else?
 http://code.google.com/p/jrfonseca/downloads/detail?name=drmingw-0.4.4.zip
 doesn't appear to have any source code beyond
 drmingw-0.4.4/samples/test.c, which is an example:
 {{{
  % unzip drmingw-0.4.4.zip
 Archive:  drmingw-0.4.4.zip
   inflating: drmingw-0.4.4/COPYING
   inflating: drmingw-0.4.4/COPYING.LIB
   inflating: drmingw-0.4.4/drmingw.exe
   inflating: drmingw-0.4.4/doc/drmingw.html
   inflating: drmingw-0.4.4/doc/drmingw.reg
   inflating: drmingw-0.4.4/doc/exception-nt.gif
   inflating: drmingw-0.4.4/doc/install.gif
   inflating: drmingw-0.4.4/doc/sample.gif
   inflating: drmingw-0.4.4/samples/test.c
   inflating: drmingw-0.4.4/samples/test.exe
   inflating: drmingw-0.4.4/samples/testcpp.cxx
   inflating: drmingw-0.4.4/samples/testcpp.exe
 }}}

 > It is LGPL - it's from http://code.google.com/p/jrfonseca/ - it's part
 of drmingw.
 > It's been modified somewhat to suite our needs.

 I looked and found this:
 http://code.google.com/p/jrfonseca/source/browse/exchndl.c?repo=drmingw

 Is that the actual code used? And if so... Is the patch exchndl_daa4.diff
 from pidgin-inst-deps-20100315.tar.gz what is applied on top of it?

 >
 > What are your specific complaints about it being unsafe?
 >
 > > The following are Pidgin/libpurple code (including '''plugins/*''')
 and not thought to be covered by any CVEs - though I guess I'll wait for
 explicit confirmation from the pidgin team, as they're the authority on
 these dlls:
 > > {{{
 > > libjabber.dll
 > > liboscar.dll
 > > libpurple.dll
 > > libymsg.dll
 > > pidgin.dll
 > > }}}
 >
 > These are all part of the libpurple and pidgin codebase and are built
 from the pidgin codebase during each release.

 That's what I thought. I assume these are up to date and have no
 outstanding security issues. Is that correct?

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15286#comment:6>
Pidgin <http://pidgin.im>
Pidgin