XMMP/Jabber clients DoS vulnerability report
Paul Aurich
paul at darkrain42.org
Wed Jan 27 11:17:40 EST 2010
On Jan 25, 2010, at 10:36, Ethan Blanton wrote:
> at 2010-01-23T13:07+0000, Andrea Barisani wrote:
>> oCERT recently received a report about a DoS condition in Pidgin and Psi,
>> other XMMP clients might be affected (libpurple and libiris ones most
>> likely).
>>
>> The sample message attached to this email causes, according to the reporter,
>> 100% CPU load, the message can be sent by non-buddies as just the target jid
>> is sufficient.
>>
>> Can you confirm the issue?
>
> Do we have a reply to this? We cannot simply let emails to our
> security list languish.
>
> I suspect this does indeed cause a problem for us, by allocating a
> huge number (like 20k) smileys. Does anyone know if we'll actually
> try to do that? If so, can we easily mitigate it?
>
> Ethan
I was indeed able to reproduce this (Pidgin did eventually unfreeze, even). It's mitigated by setting the null smiley theme. Perhaps there should be a hackish cap on the number of smileys per message, the same way (I think?) there's a limit on the maximum number of formatting changes per message?
~Paul
More information about the security
mailing list