Include libmsn in main
Bug #308060 reported by
Jonathan Thomas
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libmsn (Ubuntu) |
Fix Released
|
Medium
|
Kees Cook | ||
Jaunty |
Fix Released
|
Medium
|
Kees Cook |
Bug Description
Related branches
Changed in libmsn: | |
importance: | Undecided → Medium |
Changed in libmsn: | |
milestone: | none → ubuntu-9.04-beta |
Changed in libmsn: | |
assignee: | ubuntu-security → jdstrand |
Changed in libmsn (Ubuntu Jaunty): | |
status: | Confirmed → Fix Released |
status: | Fix Released → Confirmed |
Changed in libmsn: | |
milestone: | ubuntu-9.04-beta → ubuntu-9.04 |
Changed in libmsn (Ubuntu Jaunty): | |
status: | Fix Released → In Progress |
To post a comment you must log in.
MIR looks good, thanks, a couple of points worry me though.
= Security =
# Does not directly process binary or structured data such as video, sound, or pdf
this directly contradicts:
# Would have network activity inasmuch as it handles network traffic for MSN chats, which includes receiving incoming files over chat.
I think this is a typical security sensitive lib, exposed to network data, with buffers, string parsing, marshalling / unmarshalling of network data into objects etc.
This risk is probably largely alleviated by the fact that it should communicate mostly with MSN servers, but msn/p2p.cpp let's me think there are also user to user connections.
I propose that we ask at least for a quick look from a security person; perhaps we can also enable some stronger hardening flags for this particular package?
= IP =
I don't think the MSN protocol is an open standard; I understand it was reverse engineered. I guess this is ok for interoperability, but deserves a mention in the MIR.
I also wonder about usage of the name libmsn; gaim at to be renamed because of TM issues. I guess this is an upstream problem and we will rename if we get asked to.