XMMP/Jabber clients DoS vulnerability report

Ethan Blanton elb at pidgin.im
Wed Jan 27 11:26:33 EST 2010 

Paul Aurich spake unto us the following wisdom:
> >> The sample message attached to this email causes, according to the reporter,
> >> 100% CPU load, the message can be sent by non-buddies as just the target jid
> >> is sufficient.
> > 
> > Do we have a reply to this?  We cannot simply let emails to our
> > security list languish.
> > 
> > I suspect this does indeed cause a problem for us, by allocating a
> > huge number (like 20k) smileys.  Does anyone know if we'll actually
> > try to do that?  If so, can we easily mitigate it?
> 
> I was indeed able to reproduce this (Pidgin did eventually unfreeze,
> even).  It's mitigated by setting the null smiley theme.  Perhaps
> there should be a hackish cap on the number of smileys per message,
> the same way (I think?) there's a limit on the maximum number of
> formatting changes per message?

OK, that's what I was hoping ot hear, is that it eventually unfreezes.
I think we should handle this as follows:

1) Implement a cap on smileys per message; it can be quite high, even
   -- say 128.
2) Notify the original poster that we have verified the problem, that
   it is *not* a crash bug and that Pidgin will eventually recover,
   but that it is clearly a denial of service.
3) Request that, since the severity is rather low, this be embargoed
   for some time which we will determine among the involved projects,
   but which gives us time to make a proper next release, rather than
   an emergency bugfix release.

How does that sound to everyone?  I think we should take some official
course of action ASAP.  That is, after all, the reason we created this
list.  :-)

Ethan

-- 
The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100127/fc30c74a/attachment.pgp>

More information about the security mailing list