XMMP/Jabber clients DoS vulnerability report
Ethan Blanton
elb at pidgin.im
Wed Jan 27 13:40:17 EST 2010
Ethan Blanton spake unto us the following wisdom:
> OK, that's what I was hoping ot hear, is that it eventually unfreezes.
> I think we should handle this as follows:
>
> 1) Implement a cap on smileys per message; it can be quite high, even
> -- say 128.
I should add that I believe we should NOT commit this cap until the
embargo terms are hammered out, so as not to break the embargo.
> 2) Notify the original poster that we have verified the problem, that
> it is *not* a crash bug and that Pidgin will eventually recover,
> but that it is clearly a denial of service.
> 3) Request that, since the severity is rather low, this be embargoed
> for some time which we will determine among the involved projects,
> but which gives us time to make a proper next release, rather than
> an emergency bugfix release.
>
> How does that sound to everyone? I think we should take some official
> course of action ASAP. That is, after all, the reason we created this
> list. :-)
So far I have agreement from Daniel. I would like to respond to this
today.
Ethan
--
The laws that forbid the carrying of arms are laws [that have no remedy
for evils]. They disarm only those who are neither inclined nor
determined to commit crimes.
-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100127/2468d422/attachment.pgp>
More information about the security
mailing list