lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: faceprint at faceprint.com (Nathan Walp)
Subject: Advisory 02/2004: Trillian remote
	overflows	-> maybe this is off-topic, but...

On Wed, 2004-02-25 at 02:02, Stefan Esser wrote:
> Hello,
> 
> On Tue, Feb 24, 2004 at 08:23:44PM -0500, Luke Schierer wrote:
> > Jeff is absolutely correct. We've given them yahoo code, they have given 
> > us yahoo code.  Sean Egan and one of their heads, a guy named Scott, are 
> > on good terms.  no theft either way involved here.
> > luke
> 
> There is actually one little problem... Eric Warmenhoven, the guy who commited
> the yahoo code had no clue that this code is used by Trillian. Noone from the
> GAIM team except himself has the right to dual license his code. And the second 
> thing is: take a close look on the commit messages:
> 
> It a) references external persons
> 
> rev 1.11: Valdis Kletnieks (sysphrog) suggested this fix. 
> This seems really odd to me. Typical Yahoo.
> 
> (The fix is actually only a "+1" fix)
> 
> 
> b) has mysterious comments...
> 
> rev 1.12: this seems... i don't know.
> 
> (sounds to me like... Hmmm got this code commited it, but don't know if or why
> it is better)

Take a journey with me:

rev 1.41:
Sean Egan commits the new authorization code he just wrote.

rev 1.46:
Sean Egan adjusts the authorization code to use version 9 instead of 6.

rev 1.97 (yes, it's been that long since auth was touched):
Sean Egan changes some auth code around, and renames some stuff

rev 1.104:
Sean Egan modifies yahoo to send the username in lowercase, fixing auth.

rev 1.140:
Sean Egan changes the protocol version again from 0x0900 to 0x000b

rev 1.145:
Sean Egan commits drastically new auth code.  I believe this was written
by him after Trillian figured out the new authentication mechanism.

rev 1.160:
Sean Egan commits more yahoo auth fixes, presumably with help from
Trillian

rev 1.162:
Sean Egan commits his "web auth" code, giving Gaim 2 ways to log into
Yahoo


Now I'm sick of looking through commit logs, but I think you get the
idea.  Also, by this point, Trillian is sending us code, not
vice-versa.  The only code that was ever sent to them was the auth code,
which Sean wrote.  Sean is allowed to send that code to anyone he
pleases.  As much of a stickler as he is for the GPL, I really don't
think he'd violate it so blatently and publically.

Nathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040225/a9bfd9df/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ