Potential security issue: Yahoo authorisation requests with invalid encoding

Sulabh Mahajan sulabh.dev at gmail.com
Sat Dec 29 09:05:58 EST 2012


Hi Mark,

I looked at this issue earlier when there was a discussion regarding this.
I can take a look at the code tomorrow, and fix all the untreated strings
that I can find.

Regards,
Sulabh Mahajan

On Sat, Dec 29, 2012 at 3:15 AM, Mark Doliner <mark at kingant.net> wrote:

> (+to Sulabh, who has done some work on our Yahoo! protocol plugin.)
>
> On Mon, Sep 24, 2012 at 8:52 AM, Ethan Blanton <elb at pidgin.im> wrote:
> > The fix for this particular crash is easy, although I'm not sure
> > whether the incoming message should be sanitized with
> > yahoo_string_decode or purple_utf8_salvage
>
> I don't know the answer, but since the code currently treats the
> strings as utf8 it seems reasonable to use purple_utf8_salvage.
>
> > However, in looking through
> > the yahoo prpl, it looks likely to me that there are a LOT of places
> > where this is likely to be a problem.  As an example, in the very same
> > notification messages, the incoming nickname fields are not sanitized.
>
> If anyone is interested in working on this in the next day or two let
> me know, otherwise I'll take a stab at it and send out a patch for
> review.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20121229/d89c9821/attachment.html>


More information about the security mailing list