XMMP/Jabber clients DoS vulnerability report
Mark Doliner
mark at kingant.net
Wed Feb 10 05:10:08 EST 2010
On Wed, Jan 27, 2010 at 10:40 AM, Ethan Blanton <elb at pidgin.im> wrote:
> Ethan Blanton spake unto us the following wisdom:
>> OK, that's what I was hoping ot hear, is that it eventually unfreezes.
>> I think we should handle this as follows:
>>
>> 1) Implement a cap on smileys per message; it can be quite high, even
>> -- say 128.
>
> I should add that I believe we should NOT commit this cap until the
> embargo terms are hammered out, so as not to break the embargo.
>
>> 2) Notify the original poster that we have verified the problem, that
>> it is *not* a crash bug and that Pidgin will eventually recover,
>> but that it is clearly a denial of service.
>> 3) Request that, since the severity is rather low, this be embargoed
>> for some time which we will determine among the involved projects,
>> but which gives us time to make a proper next release, rather than
>> an emergency bugfix release.
>>
>> How does that sound to everyone? I think we should take some official
>> course of action ASAP. That is, after all, the reason we created this
>> list. :-)
>
> So far I have agreement from Daniel. I would like to respond to this
> today.
How does the attached patch look to people? It sets a limit of 200
smileys per GtkIMHtml by keeping a counter using g_object_get_data and
g_object_set_data. 200 is fairly arbitrary. My computer can handle
more, but my computer is fairy fast. I suspect some of our users will
hit the 200 limit because, well, you know our users :-), but I also
suspect that 200 is more than enough for any reasonable conversation.
--Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pidgin_limit_number_of_smileys.diff
Type: text/x-patch
Size: 2738 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100210/60c8d4f0/attachment.bin>
More information about the security
mailing list