Opened 9 years ago

Last modified 9 years ago

#11770 new defect

Crash when AIM hangs & attempt to disable

Reported by: cepheid Owned by: MarkDoliner
Milestone: Component: AIM
Version: 2.6.6 Keywords:
Cc:

Description

Today, AIM is giving me lots of problems... it simply refuses to log in (giving some sort of SSL error). While AIM is hanging, if I try to disable the account (by unchecking it in the Accounts pane), pidgin will segfault. Similarly, if I try to change my available/away status while AIM is hanging, pidgin will segfault.

Steps to reproduce: 1) Try to log into AIM... if it hangs, then 2) Go to Accounts and try to uncheck the account to disable it. 3) CRASH!

This has only been happening today, but it's reproducible a _lot_. A gdb backtrace is attached.

Attachments (1)

pidgin_bt (4.3 KB) - added by cepheid 9 years ago.
Backtrace of crash

Download all attachments as: .zip

Change History (7)

Changed 9 years ago by cepheid

Backtrace of crash

comment:1 Changed 9 years ago by cepheid

The specific AIM error I am getting (when it hangs) is: "Unable to connect to BOS server: SSL Connection Failed"

That may be an AIM server problem more than a pidgin problem... but the crash is definitely a pidgin problem!

comment:2 Changed 9 years ago by QuLogic

  • Component changed from unclassified to AIM
  • Owner changed from rekkanoryo to MarkDoliner

comment:3 Changed 9 years ago by nmftm

I am getting the same problem. It (obviously) stops happening if you log in without using SSL, but that could compromise your password.

comment:4 follow-up: Changed 9 years ago by MarkDoliner

For the record it is never possible for anyone to obtain your password by looking at Pidgin's network traffic. Depending on the options checked, either the password is sent over https, or only a hash of the password is sent.

comment:5 in reply to: ↑ 4 Changed 9 years ago by nmftm

Replying to MarkDoliner:

For the record it is never possible for anyone to obtain your password by looking at Pidgin's network traffic. Depending on the options checked, either the password is sent over https, or only a hash of the password is sent.

Couldn't someone tell what the password was by looking at the hash and using rainbow tables?

comment:6 Changed 9 years ago by MarkDoliner

nmftm: I don't think so. When using clientLogin the password is sent over TLS or SSL, which I believe is designed such that rainbow tables are ineffective. When not using clientLogin only a hash is sent, and the hash is generated using a random nonce (so the attacker would need a rainbow table for each random nonce, which means the rainbow table provides no benefit).

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!