Bug 24138 - telepathy-butterfly crashed with TypeError in b64decode()
Summary: telepathy-butterfly crashed with TypeError in b64decode()
Status: RESOLVED FIXED
Alias: None
Product: papyon
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Telepathy bugs list
QA Contact: Telepathy bugs list
URL: http://git.collabora.co.uk/?p=user/jo...
Whiteboard: review+
Keywords: patch
: 25526 26135 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-09-24 15:14 UTC by Cristian Aravena
Modified: 2010-04-09 06:12 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Quilt patch (695 bytes, patch)
2009-11-08 10:40 UTC, Brad Misik
Details | Splinter Review
Proposed patch (525 bytes, patch)
2010-04-06 15:36 UTC, Laurent Bigonville
Details | Splinter Review

Description Cristian Aravena 2009-09-24 15:14:12 UTC
Open Bug in LP:
https://bugs.edge.launchpad.net/ubuntu/+source/pymsn/+bug/401028

"Started Empathy, it connected to all my networks, then I got the crash message. Up to date karmic."
Comment 1 Cristian Aravena 2009-09-24 15:15:04 UTC
Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/pymsn/msnp/base.py", line 106, in _dispatch_command
    handler(command)
  File "/usr/lib/python2.6/dist-packages/pymsn/msnp/notification.py", line 347, in _handle_ILN
    self._handle_NLN(command)
  File "/usr/lib/python2.6/dist-packages/pymsn/msnp/notification.py", line 386, in _handle_NLN
    urllib.unquote(command.arguments[5]))
  File "/usr/lib/python2.6/dist-packages/pymsn/p2p.py", line 160, in parse
    shac = base64.b64decode(shac)
  File "/usr/lib/python2.6/base64.py", line 76, in b64decode
    raise TypeError(msg)
TypeError: Incorrect padding
Comment 2 Brad Misik 2009-11-07 23:44:27 UTC
This bug is actually a DoS vulnerability in the way papyon handles MSNObject data in p2p.py.

There is no exception handling for malformed fields, such as the SHA1C in the bug filer's case. It tries to base 64 decode whether or not the string is properly encoded in base 64. If it isn't, it will crash silently with a traceback in the logs. The user will continue thinking he is talking to the person with the malformed checksum, but in reality, no messages will be sent or received.

More importantly, while going over this code, it appears that the checksum isn't even used when sending or receiving, yet it is stored in the object. If this is the intent, then malformed field exceptions should be ignored and a warning logged instead of crashing. However, it would be best if papyon verified the integrity of the fields and then compared checksums (just like what is done for the SHA1D). If the checksums do not match or the fields are malformed, then notify the user and drop the object from further processing.

I can kind of see the methodology behind what is being done now. The data hash is being checked and compared for integrity, and that's all you care about - the data. If this is the case and you see the checksum as redundant, then at least handle malformed ones by ignoring them instead of crashing on a bash 64 decode.
Comment 3 Brad Misik 2009-11-08 10:40:06 UTC
Created attachment 31049 [details] [review]
Quilt patch

The attached quilt patch ignores malformed SHA1Cs so that conversations don't crash. As mentioned earlier, though, there are a lot more places where checking needs to be done to make this framework secure. Check for KeyErrors in the xml, TypeErrors in the decodings, etc. I've managed to cause a crash remotely using several different methods.
Comment 4 Olivier Crête 2009-12-29 09:16:54 UTC
*** Bug 25526 has been marked as a duplicate of this bug. ***
Comment 5 Olivier Le Thanh Duong 2009-12-29 09:55:57 UTC
Thanks for you patch, I have pushed it into master. Could you please open bugs for all the area where such fallback are needed? Thanks in advance
Comment 6 Jonny Lamb 2010-01-20 07:24:41 UTC
*** Bug 26135 has been marked as a duplicate of this bug. ***
Comment 7 Laurent Bigonville 2010-04-06 15:35:32 UTC
Still happening with version (0.4.5)

Traceback:
 Traceback (most recent call last):
   File "/usr/lib/pymodules/python2.6/papyon/msnp/base.py", line 107, in _dispatch_command
     handler(command)
   File "/usr/lib/pymodules/python2.6/papyon/msnp/notification.py", line 453, in _handle_NLN
     urllib.unquote(command.arguments[idx]))
   File "/usr/lib/pymodules/python2.6/papyon/p2p.py", line 159, in parse
     shad = base64.b64decode(shad)
   File "/usr/lib/python2.6/base64.py", line 76, in b64decode
     raise TypeError(msg)
 TypeError: Incorrect padding
Comment 8 Laurent Bigonville 2010-04-06 15:36:00 UTC
Created attachment 34733 [details] [review]
Proposed patch
Comment 9 Olivier Le Thanh Duong 2010-04-07 12:20:20 UTC
Like I said on irc, I'm pretty sure that's a dup of https://bugs.freedesktop.org/show_bug.cgi?id=26804 so I would like to see if it can be reproduced with the patch or some logs.
Comment 10 Jonny Lamb 2010-04-09 03:48:18 UTC
(In reply to comment #9)
> Like I said on irc, I'm pretty sure that's a dup of
> https://bugs.freedesktop.org/show_bug.cgi?id=26804 so I would like to see if it
> can be reproduced with the patch or some logs.

Unfortunately, it's not a duplicate as Laurent is running papyon with the said fix.

Olivier, do you have any objections against Laurent's patch? I personally don't know how else to go about fixing this.
Comment 11 Olivier Le Thanh Duong 2010-04-09 04:13:41 UTC
(In reply to comment #10)
> (In reply to comment #9)
> > Like I said on irc, I'm pretty sure that's a dup of
> > https://bugs.freedesktop.org/show_bug.cgi?id=26804 so I would like to see if it
> > can be reproduced with the patch or some logs.
> 
> Unfortunately, it's not a duplicate as Laurent is running papyon with the said
> fix.
> 
> Olivier, do you have any objections against Laurent's patch? I personally don't
> know how else to go about fixing this.

I'm ok with it, but perhaps we should add more debug info in each exception it may proves helpfuls
Comment 12 Jonny Lamb 2010-04-09 04:29:01 UTC
(In reply to comment #11)
> perhaps we should add more debug info in each exception it
> may proves helpfuls

What kind of extra info do you mean? Check out my branch to fix this bug; I added another commit.
Comment 13 Olivier Le Thanh Duong 2010-04-09 04:47:13 UTC
I mean having the failed sha[cd] in the exceptions, since most people don't provide the log but only the traceback that could be useful
Comment 14 Jonny Lamb 2010-04-09 05:01:05 UTC
(In reply to comment #13)
> I mean having the failed sha[cd] in the exceptions, since most people don't
> provide the log but only the traceback that could be useful

Yeah can't hurt. Check out my branch for all this then.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.