libpurple gadu-gadu issues
Lukas Odzioba
lukas.odzioba at gmail.com
Thu Oct 16 07:42:11 EDT 2014
2014-10-16 8:35 GMT+02:00 Mark Doliner <mark at kingant.net>:
> Alright, here's my thinking: We won't be requesting CVE numbers for
> these three issues or announcing them as security vulnerabilities.
Ok, I respect that, at least it is clear now.
> For the 2nd issue, Lukas, yes, you're right, this is basically as
> described in example 3 at
> http://cwe.mitre.org/data/definitions/400.html Yes, ideally Pidgin
> would intelligently limit its resource usage. But this is a hard
> problem to solve.
No, it is not that hard, you take some reasonable number like 2 MB
and add one if statement to the code, just like it is already for max
"packet" length.
Removing the feature is another solution, but for me it was very usefull.
> For one thing our protocols all have a lot of
> functionality and exchange a large number of different messages with
> the server--that's a lot of different things to place limits on. And
> where should we draw the line on how much is too much?
Of course we might argue that 2MB is too much or not enough, but the same
applies for max "packet" length in libgadu protocol.
> Certainly there
> should be SOME limit on resource usage, and we should work on that in
> the future, but for now this doesn't feel critical enough to treat as
> a security problem.
That's fine I understand that policy.
> Thanks again for reporting these problems to us, Lukas! And sorry it's
> taken us over a year to wrap up this email thread.
Next time we could consider posting to oss-sec mailing list in case of
questionable situations like that, to get other people involved in discussion.
Thank you guys for the response, I am happy that we can call it closed now.
Lukas
PS. Good luck with the release.
More information about the security
mailing list