Potential security issue: Yahoo authorisation requests with invalid encoding

[Ethan Blanton]

Robert Vehse spake unto us the following wisdom:
> at Adium, we received a bug report about a crash with Yahoo. It looks
> like it could be a security issue in libpurple.

It is.  It may be that the Yahoo! servers protect us from it in some
or most circumstances (I really don't know), but we should not count
on that -- particularly given the craptacularity of the Yahoo!
servers.

The fix for this particular crash is easy, although I'm not sure
whether the incoming message should be sanitized with
yahoo_string_decode or purple_utf8_salvage (I suspect the former, can
someone familiar with Yahoo! comment?).  However, in looking through
the yahoo prpl, it looks likely to me that there are a LOT of places
where this is likely to be a problem.  As an example, in the very same
notification messages, the incoming nickname fields are not sanitized.

If someone can give me a hint about the normalization method most
appropriate for Y!M, I'm willing to take a quick pass at fixing the
obvious stuff -- but someone more familiar with the protocol will ned
to do a deeper check.

I am troubled that these sort of problems continue to crop up in
several of our protocols.  Specifically, MSN and Yahoo! have had
similar issues many times over the past few years.  While I understand
why it is not happening (and am indeed part of the problem), I think
we need to spend some time auditing our prpls.  This really is not a
good situation.  I wonder (out loud) if there is a way to harness the
broader security community's energy at this, without turning Pidgin
into a mass of previously-unexplored zero-day exploits.

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20120924/339cf2a8/attachment.pgp>