On Sun, Mar 04, 2018 at 05:50:15PM +0100, John Paul Adrian Glaubitz wrote: > >> I don't think a rant posted on reddit by the author of a fork > >> is justified enough to ask for a package to be removed from > >> the archive. > > > > The author posted his opinion to his personal blog and did not > > directly start the reddit discussion. Also, that author is the subject > > matter expert here and I think we should give due deference to his > > understanding of the security issues present in xchat for which he did > > not seek CVE designations. > > If he is an expert, why didn't he even bother posting a single valid > example where xchat is insecure and posing a risk to its users. > > If there are valid vulnerabilities, it shouldn't a problem to list > them.
So in response to this request, I have contacted TingPing regarding his claims, to try and clarify which security issues he has found in XChat during the maintenance of hexchat. He was kind enough to respond with a few examples. He pointed at 4 recent commits fixing remote crashes when connecting to an untrusted IRC server: https://github.com/hexchat/hexchat/commit/f4a592c4f0364d35068bca9f2634946750340356 https://github.com/hexchat/hexchat/commit/a3db4e577307742965f5ba75daf03146164bd211 https://github.com/hexchat/hexchat/commit/6e4fc09ce005db965523ef8930ea51ca429815a2 https://github.com/hexchat/hexchat/commit/f6333b592b0d574d68e96d04a09a6cae956ee6c3 Those have been discovered by fuzzing and are generally not possible to trigger by other users but could be abused by a hostile server to trigger a crash in Xchat. In general, he said that most issues were "mostly" in that domain, but he doesn't exclude crashes triggered by other users which would be more worrisome. I hope this answers the demand of proving the claims of security issues more clearly. Have a nice day! A.
signature.asc
Description: PGP signature