XMMP/Jabber clients DoS vulnerability report

Mark Doliner mark at kingant.net
Wed Feb 10 05:10:08 EST 2010

On Wed, Jan 27, 2010 at 10:40 AM, Ethan Blanton <elb at pidgin.im> wrote:
> Ethan Blanton spake unto us the following wisdom:
>> OK, that's what I was hoping ot hear, is that it eventually unfreezes.
>> I think we should handle this as follows:
>> 1) Implement a cap on smileys per message; it can be quite high, even
>>    -- say 128.
> I should add that I believe we should NOT commit this cap until the
> embargo terms are hammered out, so as not to break the embargo.
>> 2) Notify the original poster that we have verified the problem, that
>>    it is *not* a crash bug and that Pidgin will eventually recover,
>>    but that it is clearly a denial of service.
>> 3) Request that, since the severity is rather low, this be embargoed
>>    for some time which we will determine among the involved projects,
>>    but which gives us time to make a proper next release, rather than
>>    an emergency bugfix release.
>> How does that sound to everyone?  I think we should take some official
>> course of action ASAP.  That is, after all, the reason we created this
>> list.  :-)
> So far I have agreement from Daniel.  I would like to respond to this
> today.

How does the attached patch look to people?  It sets a limit of 200
smileys per GtkIMHtml by keeping a counter using g_object_get_data and
g_object_set_data.  200 is fairly arbitrary.  My computer can handle
more, but my computer is fairy fast.  I suspect some of our users will
hit the 200 limit because, well, you know our users :-), but I also
suspect that 200 is more than enough for any reasonable conversation.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin_limit_number_of_smileys.diff
Type: text/x-patch
Size: 2738 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100210/60c8d4f0/attachment.bin>

More information about the security mailing list