DoS against Pidgin's IRC protocol implementation

Shivaram Lingamneni slingamn at cs.stanford.edu
Sun Sep 3 14:49:59 EDT 2017


I already disclosed this vulnerability incorrectly, here and here:

https://developer.pidgin.im/ticket/12562
https://bitbucket.org/pidgin/main/pull-requests/256/

so one of my goals with this e-mail is to ask whether I should
"disappear" the public disclosure made thus far (I can edit it out of
my comment on the Trac ticket, edit it out of the PR, and delete my
GitHub gist).

Description: a malicious IRC server can cause Pidgin to consume
excessive CPU and RAM, resulting in DoS

Cause: the server can send an arbitrarily long stream of unparseable
bytes (any byte that's not 0, \r, or \n), and the parser will keep
resizing its buffer upwards and trying to parse the data into an valid
IRC message

Steps to reproduce: the attached server.py script for non-SSL. Add the
attached stunnel config (substitute your own self-signed certificate
on the `cert` line) to test with SSL.

Affected versions: all 2.x versions, including 2.12. I'm not sure about 3.x.

Patch: attached

Sorry about the disclosure, and thanks for your time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dos.patch
Type: text/x-patch
Size: 4032 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170903/9f7c7cb3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.py
Type: text/x-python
Size: 648 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170903/9f7c7cb3/attachment.py>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel.conf
Type: application/octet-stream
Size: 142 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20170903/9f7c7cb3/attachment.obj>


More information about the security mailing list