XMMP/Jabber clients DoS vulnerability report
Ethan Blanton
elb at pidgin.im
Mon Jan 25 13:36:19 EST 2010
at 2010-01-23T13:07+0000, Andrea Barisani wrote:
> oCERT recently received a report about a DoS condition in Pidgin and Psi,
> other XMMP clients might be affected (libpurple and libiris ones most
> likely).
>
> The sample message attached to this email causes, according to the reporter,
> 100% CPU load, the message can be sent by non-buddies as just the target jid
> is sufficient.
>
> Can you confirm the issue?
Do we have a reply to this? We cannot simply let emails to our
security list languish.
I suspect this does indeed cause a problem for us, by allocating a
huge number (like 20k) smileys. Does anyone know if we'll actually
try to do that? If so, can we easily mitigate it?
Ethan
--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100125/1c3840f1/attachment.pgp>
More information about the security
mailing list