security review and patches for libpurple

Jacob Appelbaum jacob at appelbaum.net
Tue Jul 19 01:10:29 EDT 2011


On 07/19/2011 12:57 AM, Chris Palmer wrote:
> On Jul 18, 2011, at 9:46 PM, Jacob Appelbaum wrote:
> 
>> On a related topic - I'd like to share a bit of insider knowledge
>> from the bug hunting community. I've just recently finished a nine
>> day REcon stint and I wasn't too happy with what I heard about
>> pidgin. Specifically, I've heard that people are trying to sell
>> pidgin 0day but they're not finding any ethical buyers; that is to
>> say that ZDI doesn't buy pidgin bugs and work to get them fixed.
>> Meanwhile, I've directly seen that some of the digital arms dealing
>> companies are making offers for pidgin/libpurple bugs. I assume
>> that libxml2 bugs via pidgin are valid "pidgin bugs" in the arms
>> dealing world.
>> 
>> I really think that a strong pidgin/libpurple security push is
>> needed - something much larger than what a few developers might be
>> able to accomplish on their own.
> 
> Successful patches devalue the work of arms dealers. The pleasure of
> doing that is reward enough, to me. :)
> 

I agree entirely. The reason I mention it is that I don't think we've
caught the bugs that people are buying and selling daily.

It's important that everyone understands that there are people sitting
on weaponized remote exploits for libpurple/pidgin. It's certain to me
that a few of these bugs have been sold to the previously mentioned
weapons dealers.

I run my Pidgin in a restrictive AppArmor profile that is very limited
and I debug-log everything I receive in the hopes of catching some of
this elusive 0day - so far I've had no luck. :(

> Being under concerted attack like this should motivate a unified
> approach to common C bug classes. All the integer overflows, buffer
> overflows, format string vulnerabilities, et c. should be ruled out
> by strict code guidelines. Only then can we focus on higher-level
> vulnerabilities, in the way that developers in less primitive
> languages get to do.
> 

I agree entirely. There's a good path to making sure it's a lot harder
than it has been previously. Pidgin/libpurple is important software!

It would be nice if pidgin included OTR by default - this is one of the
nicest things about Adium - the threat of the chat server itself is
partially mitigated by default on Adium!

All the best,
Jacob


More information about the security mailing list