[Pidgin] #14830: dbus information leakage

Pidgin trac at pidgin.im
Sun Feb 26 15:46:33 EST 2012


#14830: dbus information leakage
-----------------------------+----------------------------------------------
 Reporter:  dfunc            |        Owner:  bleeter  
     Type:  enhancement      |       Status:  new      
Milestone:  Patches welcome  |    Component:  libpurple
  Version:  2.10.0           |   Resolution:           
 Keywords:  privacy          |  
-----------------------------+----------------------------------------------
Changes (by bleeter):

  * owner:  rekkanoryo => bleeter


Comment:

 @dfunc: Whether Ultramancool is a developer/patch writer for Pidgin or not
 is irrelevant. They raise some points that I feel should at least be
 discussed as this ticket is listed on your report.

 If one's running OTR on a libpurple system where all 'bells and whistles'
 are compiled in, you've increased the surface area of attack by default.
 One shouldn't be surprised if Pidgin starts behaving in 'unusual' ways
 under such circumstances. For example, there's this
 https://www.guifications.org/issues/694#change-1962 with the LastSeen
 plugin which I'm still to deal with, however I can't help but feel it's
 somehow related.

 It's my opinion at the moment that OTR should at least perform a series of
 checks to see if the environment it's running in is protected against
 known issues (eg, see above with LastSeen - at the moment, I believe OTR
 shouldn't activate if LastSeen is enabled). Given there's no real 'trust'
 model for libpurple/pidgin/finch et al plugins, if I were an OTR dev I'd
 insist on not loading if ANY other plugins are enabled. I'd also not
 permit OTR to operate if DBUS were enabled. Something further that I've
 just thought of (but not investigated nor do I have inclination to), if
 the UI libpurple is connected to is performing spell checking, might it be
 possible for an attacker to glean information similarly to this attack? I
 use spell checking as an example, however I wish to emphasize this is more
 about exposing information to external support libraries.

 And this is where I arrive at Ultramancool's comment #9.

 There is something really odd about OTR's approach of implicitly trusting
 anything that Pidgin is capable of doing instead of, as I would try, to
 ensure the user has a very limited exposure. Still, fixing this properly
 will not be easy. Sure, we could suggest people disable DBUS, however
 that'll then disable NetworkManager support. Further, I could suggest OTR
 shouldn't be run in environments that permit plugins - however that
 obviously leads to the problem where OTR itself wouldn't be able to load.

 As I've stuck my hand up for working in some regard on
 libpurple/pidgin/finch privacy, I've reassigned this ticket to me for now.
 I'm also in two minds as to whether this is a defect or an enhancement, or
 even in fact a Third Party issue (ok, three minds... nobody expects the
 Spanish Inquisition)

 [this was written before #11 and independently from it, would seem to be
 some agreement yay!]

-- 
Ticket URL: <http://developer.pidgin.im/ticket/14830#comment:13>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list