libpurple gadu-gadu issues

[Tomasz Wasilczyk]

2013/8/20 Lukas Odzioba <lukas.odzioba at gmail.com>:
> 2013/8/20 Tomasz Wasilczyk <tomkiewi at gmail.com>:
>> I'm not sure, if we should deal with the cases, where the attacker is
>> able to spoof the server.
>
> I think you should, and you already did it for other protocols:
> http://www.pidgin.im/news/security/?id=66
> http://www.pidgin.im/news/security/?id=67
> http://www.pidgin.im/news/security/?id=40

Sorry, I didn't expressed clear enough - I meant cases, where attacker
spoofs the server and does things that legitimate server and original
client would do also (cases, where improper input crashes the client
belongs to different class). I admit, that in 2.x.y there is no such
feature like automatic roster synchronization for gg prpl and the
scenario you described is unexpected. But for 3.0.0, I've implemented
new roster synchronization protocol, so it will be "vulnerable" for
the same attack, just like xmpp is (remote buddy list updating).
Anyway, as I said - I've removed this code, so the issue is gone.

> BTW I checked handy slackware and ubuntu packages, on both systems
> encryption is not enabled by default and setting "Use encryption if
> available" does not change anything in my case.

Have you tried "require encryption"? It should do what it says.

> Besides encryption does not prevent you from connecting to wrong server.

Doesn't it? I'm afraid, I don't understand.

> And I still don't like the idea that someone/someserver can add
> friends to my list against my will, especially if this can be avoided.

You're right, this is an issue. But I wouldn't call it "major".

>> However, I've removed buddy list uploading/downloading feature,
>> because it doesn't work as expected for now (it's a problem on the
>> Gadu-Gadu service provider side).
>
> I just tested downloading from an official server and it works fine
> (list in "GG70ExportString" format).

It works partially. Gadu-Gadu service provider does some "magic" to
merge old contact list format with new roster database, so it doesn't
work the same way as it was. For example - please see [1]. I've
contacted Gadu-Gadu service support and they said, GG7 import/export
functionality is not supported anymore. There is no point maintaining
it in our codebase, since new protocol is already implemented for
3.0.0.

> This does not change the fact that allowing arbitrarily long buddy
> lists is a bug, isn't it?
> When you spam user with messages he will probably notice that, when
> you spam him with such crafted packets he probably won't notice the
> reason (pidgin does not respond, cpu usage is close to 100%, memory
> footprint grows up to ridiculous values (1GB = 16384 packets).
> Also this memory is not freed up after end of such attack, or there is
> a memleak when realloc fails.

Of course, this is also an issue - it's always better to be resistant
for DOS attack, than not to be.

Thanks for being so involved,
Tomek

[1] https://trac.adium.im/ticket/9126