[Pidgin] #15286: Master bug for old libraries in Windows Pidgin build

Pidgin trac at pidgin.im
Sun Aug 26 01:58:50 EDT 2012 

#15286: Master bug for old libraries in Windows Pidgin build
----------------------+-----------------------------------------------------
 Reporter:  ioerror   |        Owner:  datallah       
     Type:  defect    |       Status:  new            
Milestone:            |    Component:  winpidgin (gtk)
  Version:  2.10.6    |   Resolution:                 
 Keywords:  security  |  
----------------------+-----------------------------------------------------

Comment(by ioerror):

 Replying to [comment:11 datallah]:
 > Replying to [comment:9 ioerror]:
 > > Replying to [comment:8 datallah]:
 > > > Why are all of these being posted publicly?
 > >
 > > I didn't realize it was important to keep these well know issues a
 secret. There was no problem discussing these kinds of issues in #14571 -
 how are these issues different? It's more third party library code that
 isn't maintained, just like the GTK bundle, right?
 > >
 > > Every single issue, other than #15289 (which is not confirmed as
 anything interesting anyway) is discussing known vulnerabilities.
 >
 > Is it not a common practice to keep security issues private until
 they're resolved?
 >

 They are resolved issues in the respective code base.  Clearly, if I am
 correct, Pidgin doesn't ship those fixes and obviously, that is a problem
 worth resolving. Is there a bug tracking option that allows me to mark
 bugs as private or secret? If not, I guess that might be a problem.

 I wasn't aware that I should treat these as a secret. As I said, #14571
 demonstrates a total disregard for common security practices and it seemed
 to indicate that this kind of stuff wasn't worth keeping secret. I'm happy
 to put things out in the open - sunlight tends to disinfect...

 > It is no different than #14571, I should have said something sooner.  I
 figured the cat was out of the bag already because it was posted; I didn't
 realize you were going to keep going.

 Yeah, the Pidgin team does seem to have people report things and then for
 some reason, they vanish. I think it might be induced by the kinds of
 conversations that result from trying to help? I stated that I wanted to
 help and I was met with cold resistance, seemingly callous arrogance and
 intense argument.

 Still, I went through every library in the shipping Windows build. I
 followed pidgin's lead on the secrecy angle and I found an issue in almost
 every single shipping library. If the GTK bundle was fair game for open
 discussion, I hardly see how older vulnerabilities are somehow not fair
 game for open discussion.

 > Sure they're "known" vulnerabilities in the library that they exist in,
 but they're not "known" in Pidgin.

 Oh - that is just the point, it's all well known. Frustratingly so, I
 might add.

 Pidgin is well know as being a security joke. The pidgin team has a
 reputation that it doesn't seem to care about user security; I hope that
 we can prove both of those things to be incorrect.

 The windows version is remotely exploitable from a dozen angles as I've
 shown here. This isn't even starting to touch on libpurple, pidgin or
 finch; nor does it address the 0day sitting around in a few of the
 libraries that libpurple uses. Those issues can go into other bugs as this
 bug is just about old buggy third party code.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15286#comment:13>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list