XMMP/Jabber clients DoS vulnerability report

Ethan Blanton elb at pidgin.im
Wed Jan 27 22:45:50 EST 2010 

Andrea Barisani spake unto us the following wisdom:
> oCERT recently received a report about a DoS condition in Pidgin and Psi,
> other XMMP clients might be affected (libpurple and libiris ones most
> likely).
> 
> The sample message attached to this email causes, according to the reporter,
> 100% CPU load, the message can be sent by non-buddies as just the target jid
> is sufficient.
> 
> Can you confirm the issue?

We can confirm this issue.  The CPU load is caused by Pidgin's
allocation and display of a large number of smiley emoticons
corresponding to the ':D' string, and any similar emoticon could be
used to generate this effect.  The delay is bounded, however, and
after some time Pidgin will in fact display 20,000 lines
(approximately) of :D images.

We intend to circumvent the potential DoS in this issue by rendering
only the first k emoticons in a given message (where k has not yet
been determined), and this fix will likely be in our next regular
release.

> oCERT is mainly concerned about the issue not being exploitable as we
> generally don't issue advisory about "simple DoS conditions.

This is not an exploitable bug, it is simply a denial of service
through resource allocation.

> However we would be happy to coordinate with vendors/distributions if you
> want any help in pushing the eventual fixes around in a coordinated fashion.
> If this is the case, and the issue is confirmed, I'd like to discuss an
> embargo date that would allow us to contact all affected vendors with a
> patch and request not to disclose this issue in public.

This is very much a client-specific fix, and the fixing of this issue
in one client with a suitable commit message (e.g., "bound maximum
emoticons in an incoming message to speed rendering of large
messages") does not immediately imply that there is a DoS to be taken
advantage of in the client in question or any other client.

We are happy to embargo this until a given date if other projects
wish to do so; otherwise, we will notify our packagers of this as we
would any other DoS-related change before release.  We do not wish to
push an immediate release due to this issue, so if you wish to publish
a security bulletin on the matter, we would like to embargo for a
couple of weeks (or more) so that we can go through a normal string
freeze, translation cycle, etc.

Ethan

-- 
The laws that forbid the carrying of arms are laws [that have no remedy
for evils].  They disarm only those who are neither inclined nor
determined to commit crimes.
		-- Cesare Beccaria, "On Crimes and Punishments", 1764
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100127/a820ba08/attachment.pgp>

More information about the security mailing list