Messages containing invalid utf-8 sequences cannot be parsed and loudmouth prints unwanted error message to stderr when such messages received. No more incoming messages can be received by mcabber (as it is using loudmouth) after receiving such sequences. Reproducible: Always Steps to Reproduce: 1. Have mcabber with user account "A" launched (mcabber uses loudmouth, that's why it is used) 2. Have mcabber with user account "B" launched (mcabber is able to send rawxml, so it can be used for attack) 3. From account "B" send rawxml message to account A with incorrect utf-8 sequence in body. Following command can be used for this purpose: /rawxml send <message to='<"A" jid here>'><body></body></message> Actual Results: "A" got error message concerning incorrect utf-8 sequence and no longer able to receive messages until reconnect. Expected Results: All incorrect utf-8 sequences from incoming messages replaced with U+FFFD, the Unicode replacement character. User is able to received messages. Analysis: ---- lm_parser_parse() function passes message received to the g_markup_parse_context_parse() without any validation and destroys context disregarding of g_markup_parse_context_parse() error type. Solution: ---- 1. glib provides function g_filename_display_name() which checks passed string and returns valid utf-8 string made from original one. My proposal is to use this function before passing string to g_markup_parse_context_parse(). see patch for lm-parser.c 2. since strings is being read from socket in 1 KB blocks, last character in block can be still detected invalid (for example when block ends with 0b110xxxxx byte and next block starts with 0b10xxxxxx byte). complete message must be read before passing it to lm_parser_parse(). see patch for lm-socket.c Portage 2.1.10.11 (default/linux/x86/10.0/desktop, gcc-4.6.2, glibc-2.13-r4, 3.0.6-gentoo i686) ================================================================= System Settings ================================================================= System uname: Linux-3.0.6-gentoo-i686-Intel-R-_Core-TM-2_Duo_CPU_P7350_@_2.00GHz-with-gentoo-2.0.3 Timestamp of tree: Sun, 30 Oct 2011 20:30:01 +0000 app-shells/bash: 4.1_p9 dev-lang/python: 2.7.2-r3, 3.1.4-r3 dev-util/cmake: 2.8.4-r1 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.8.3-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.3.6-r1, 4.4.6-r1, 4.5.3-r1, 4.6.2, 4.7.0_alpha20111015::toolchain sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 2.6.39 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo ncursed-desktop reinvented-wheels toolchain bitcoin ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O3 -march=native -pipe -U_FORTIFY_SOURCE -fno-stack-protector -finline-functions -floop-block -floop-interchange -floop-strip-mine" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CPPFLAGS="-O3 -march=native -pipe -U_FORTIFY_SOURCE -fno-stack-protector -finline-functions -floop-block -floop-interchange -floop-strip-mine" CXXFLAGS="-O3 -march=native -pipe -U_FORTIFY_SOURCE -fno-stack-protector -finline-functions -floop-block -floop-interchange -floop-strip-mine" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="ru_RU.UTF-8" LDFLAGS="-Wl,-O3 -Wl,--as-needed" LINGUAS="am en us ru hy" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/ncursed-desktop /var/lib/layman/reinvented-wheels /var/lib/layman/toolchain /var/lib/layman/bitcoin" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X alsa cscope custom-cflags dbus djvu ffmpeg fontconfig gnutls gpg gstreamer jpeg lame minimal mmx ncurses png sasl savedconfig sse sse2 ssl ssse3 svg symlink theora tiff truetype unicode vim-syntax x86" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LINGUAS="am en us ru hy" USERLAND="GNU" VIDEO_CARDS="nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= net-libs/loudmouth-1.4.3-r1 was built with the following: USE="ssl -asyncns -debug -doc -test"
Created attachment 291379 [details, diff] patch fixing the issue described
Thank you for your report. Confirming that the problem exists. Since loudmouth upstream seems to be as dead as the dinosaurs, I suppose that Gentoo will have to patch this without guidance from loudmouth developers. I would prefer to use solution that the mcabber people have come up with (https://github.com/mcabber/loudmouth/commit/0c014cbd35f1c16ac7c8e43ae4f59a560093664a); it seems stylistically better, and I would prefer not to abuse g_filename_display_name() for validating random non-filename strings.
Patched in portage and reported upstream (http://loudmouth.lighthouseapp.com/projects/17276/tickets/61). As far as I can tell, the worst effect that this bug has is breaking mcabber's formatting a bit, making it hard/impossible to read some incoming messages. As far as I can tell, there shouldn't be any potential for remote code execution. However, if you disagree, you may choose to contact security@gentoo.org. > *loudmouth-1.4.3-r2 (02 Nov 2011) > > 02 Nov 2011; Alexandre Rostovtsev <tetromino@gentoo.org> > loudmouth-1.4.3.ebuild, loudmouth-1.4.3-r1.ebuild, > +loudmouth-1.4.3-r2.ebuild, +files/loudmouth-1.4.3-free-before-closed.patch, > +files/loudmouth-1.4.3-id-tag-in-opening-headers.patch, > +files/loudmouth-1.4.3-invalid-unicode.patch, > +files/loudmouth-1.4.3-silence-chdir.patch: > Add patches fixing rfc-3920 compliance, preventing segfaults and excessive > debug messages, and fixing utf-8 validation of incoming messages (bug > #389127, many thanks to Dmitry Potapov <potapov.d@gmail.com> for reporting). > Also, move to EAPI4 and add USE=static-libs support. > The Imendio upstream is gone, so use gnome.org for SRC_URI and set the github > repo which is supposedly considered the closest thing to official that > loudmouth has these days as the homepage.
