David F. Severski wrote: > On Thu, Nov 29, 2007 at 06:31:13PM -0600, Billy Crook wrote: >> And for that matter, no destruction of your current computer's UPnP >> capabilities will slow down a virus that uses UPnP to upen your NAT router >> up. That virus, willcery its own UPnP client that you won't be allowed to >> close. The place to disable it if you are going to at all, is in your NAT >> routers. > > The concern is not whether UPnP announcements are going to open my > network to hostile traffic, but whether or not Pidgin may be listening to > potentially hostile traffic (e.g. buffer overflows, malicious input). I > use Pidgin to communicate on a motley collection of chat protocols such > as AIM, ICQ, Jabber, etc. UPnP is not on my required list of protocols, > therefore I, like other users who have commented on this issue in the > past, am trying to disable it so that I am only running the service and > clients that are necessary for my required functionality. > > The resistance to providing even an advanced configuration option or > plug-in functionality that allows users to follow security best practices > is surprising. Is there a reason for UPnP to be in an always on state > that I'm not understanding?
Pidgin only uses UPNP support for two things: determining the external IP address of a NAT network and opening ports on a NAT network, for peer to peer connections. If Pidgin is given bogus information at either time, the worst that should happen is that either the remote client is told to connect to the wrong IP address or the direct connection simply fails due to lack of open ports. Pidgin should not act on a UPNP message received randomly (or even upon request) by opening a connection or crashing or doing anything else unpleasant. If you have found a vulnerability in Pidgin that you believe could cause Pidgin to do something nasty when sent some bogus UPNP data, we will be more than happy to fix them, but turning off a UPNP client should not really be necessary. Kevin
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Support mailing list [email protected] http://pidgin.im/cgi-bin/mailman/listinfo/support
