purple_util_fetch_url vulnerability

Daniel Atallah daniel.atallah at gmail.com
Thu Feb 21 12:20:44 EST 2013

On Mon, Feb 11, 2013 at 11:06 PM, Daniel Atallah
<daniel.atallah at gmail.com>wrote:

> This comes from "Jacob Appelbaum of the Tor Project" who contacted me
> privately.
> I assume we don't want to try to delay 2.10.7 to address this, but it
> probably means that we'll be releasing again soon :(
> It looks like this is mostly addressed in the http rewrite that Tomasz
> Wasilczyk did in default (I didn't look super closely at it, but I did
> notice that it doesn't seem to suffer from the unbounded heap
> allocation going on here).
> Here's the information:
> Jacob Appelbaum: basically, purple_util_fetch_url_request is totally unsafe


I've attached a patch that should resolve this issue (and corrects a couple
other things that I noticed when looking into it).

It's potentially slightly controversial because it enforces a max download
of 512KiB when no explicit maximum download length has been specified to
the API.
Ideally everything should use an explicit length for the maximum amount of
data that would be reasonable to download over HTTP.

The following areas in-tree currently don't have an explicit length
specified - I'm planning to make the specified size changes:
Release Notification Plugin (100K)
Gadu-Gadu Avatar Download
Jabber Google Jingle Relay Token retrieval (20K(?))
MXit inline image download
MXit Login token
MXit Challenge information
MXit Packet Download
Oscar Session Cookie retrieval (20K(?))
Yahoo Token retrieval (20K(?))
Yahoo Alias Downloading (512KiB)

We can ask the Tomasz about the Gadu-Gadu changes and the MXit guys for the
specifics about those protocols.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130221/d256c358/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 33782.patch
Type: application/octet-stream
Size: 5969 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130221/d256c358/attachment.obj>

More information about the security mailing list