XMMP/Jabber clients DoS vulnerability report
Daniel Atallah
daniel.atallah at gmail.com
Wed Jan 27 11:36:34 EST 2010
On Wed, Jan 27, 2010 at 11:26, Ethan Blanton <elb at pidgin.im> wrote:
> Paul Aurich spake unto us the following wisdom:
>>
>> I was indeed able to reproduce this (Pidgin did eventually unfreeze,
>> even). It's mitigated by setting the null smiley theme. Perhaps
>> there should be a hackish cap on the number of smileys per message,
>> the same way (I think?) there's a limit on the maximum number of
>> formatting changes per message?
>
> OK, that's what I was hoping ot hear, is that it eventually unfreezes.
> I think we should handle this as follows:
>
> 1) Implement a cap on smileys per message; it can be quite high, even
> -- say 128.
> 2) Notify the original poster that we have verified the problem, that
> it is *not* a crash bug and that Pidgin will eventually recover,
> but that it is clearly a denial of service.
> 3) Request that, since the severity is rather low, this be embargoed
> for some time which we will determine among the involved projects,
> but which gives us time to make a proper next release, rather than
> an emergency bugfix release.
>
> How does that sound to everyone? I think we should take some official
> course of action ASAP. That is, after all, the reason we created this
> list. :-)
That sounds appropriate to me.
-D
More information about the security
mailing list