Potential security issue: Yahoo authorisation requests with invalid encoding

Mark Doliner mark at kingant.net
Mon Dec 31 14:02:39 EST 2012

On Mon, Dec 31, 2012 at 4:46 AM, Sulabh Mahajan <sulabh.dev at gmail.com> wrote:
> While looking into the issue, I find several instances of untreated strings.
> Also, there are some places where the string returned by yahoo_string_decode
> has not been freed, causing memory leaks.

Feel free to commit memory leak fixes to trunk.  I don't think we need
to backport them to 2.x.y.  But please DON'T commit encoding changes
anywhere publicly, yet.  Since there is a possibility that a remote
Yahoo! user could cause your Pidgin client to crash, I think we should
treat this as a security issue and coordinate with distributions and
an embargo date.

> Rather than validating strings in the action functions, we should pass all
> the packets through a helper function, which will make sure that the strings
> are UTF-8. Later on we can get rid of then redundant checks in the action
> functions.

I think this is a great idea as long as it's possible.  Are values
always strings, or are they sometimes binary?  Are all strings encoded
the same way?  It looks like they aren't, since some functions call
yahoo_string_decode() with utf8=FALSE and others with utf8=TRUE.

More information about the security mailing list