Remote crash

Elliott Sales de Andrade qulogic at pidgin.im
Wed Jan 16 23:04:48 EST 2013


On Wed, Jan 16, 2013 at 3:43 PM, Daniel Atallah
<daniel.atallah at gmail.com> wrote:
> On Wed, Jan 16, 2013 at 3:17 PM, Eion Robb <eion at robbmob.com> wrote:
>> Since we ship our own libpango, are we better off taking a crack at fixing
>> the bug, rather than working around it?
>> I mean, if we were to go to the effort of sanitising everywhere that we
>> receive user input (buddy name, alias, chat messages, im messages, topic,
>> Get Info, notify windows, text input areas)....
>
> Yeah, this certainly would be the best solution.  That would be the
> real "central location" to fix the bug.
>
> It's not too horrible to build Pango, but the code in question seemed
> pretty arcane when I took a brief look at it.
>
> I'd be happy to try to help you set up a build environment and we may
> be able to get some tips from Behdad; his latest comment on the
> bugzilla ticket indicated he may be able to point at a solution.
>

I took a look at the code in git. If we could compile with the
BASIC_WIN32_DEBUGGING macro, maybe that will point to something?
Although it's possible someone added that code after the bug was
reported to try and figure out the problem.

> -D
>
>> On 17 January 2013 04:30, Ethan Blanton <elb at pidgin.im> wrote:
>>>
>>> Daniel Atallah spake unto us the following wisdom:
>>> > > I'm wondering if GtkIMHtml should filter stuff on the way through, in
>>> > > Windows?  It sounds like maybe that's not perfect protection (I assume
>>> > > you'd just have to put such a string in an invite or similar), but
>>> > > it'd avoid channel-clearing etc.
>>> >
>>> > Yes, I've been meaning to do something like this.  I have an
>>> > incomplete patch that sanitizes problematic characters out of strings
>>> > (similar to what the plugin does).
>>> > I was hoping for a more central location to do this rather than for
>>> > GtkIMHtml, but that may not exist.
>>>
>>> What about pidgin_utf8_salvage() and the associated conversion
>>> functions?  On Windows, those could perform another pass to sanitize
>>> the string.  It's ugly and kind of expensive, but maybe not as
>>> crashy-crashy?
>>>
>>> Ethan
>>> _______________________________________________
>>> security mailing list
>>> security at pidgin.im
>>> http://pidgin.im/cgi-bin/mailman/listinfo/security
>>
>>
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security



-- 
Elliott aka QuLogic
Pidgin developer


More information about the security mailing list