Opened 9 years ago

Closed 5 years ago

Last modified 14 months ago

#2918 closed project (invalid)

Audit pidgin for leaks and other privacy issues

Reported by: ioerror Owned by: ioerror
Priority: Medium Milestone:
Component: Archived/Tor Messenger Version:
Severity: Keywords:
Cc: StrangeCharm, tor@…, Shondoit Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by mikeperry)

Pidgin is full of privacy and anonymity issues such as the ones discovered in #1676.

I propose that this is a parent ticket for an audit of pidgin for privacy related issues.

When this bug is closed and all sub bugs are closed, we can ship the TIMBB again. Or, alternatively, we can ship it with just the plugins that have been audited.

Ticket Component Owner Summary Priority
#2919 Archived/Tor Messenger ioerror Audit IRC plugin for pidgin Medium
#2920 Archived/Tor Messenger ioerror Audit AIM support for pidgin Medium


Child Tickets

TicketStatusOwnerSummaryComponent
#2919closedioerrorAudit IRC plugin for pidginArchived/Tor Messenger
#2920closedioerrorAudit AIM support for pidginArchived/Tor Messenger

Attachments (3)

configure.ac-hardening.patch (1.7 KB) - added by ioerror 9 years ago.
I've added two new configure flags for compile time hardening
libpurple-proxy.h.patch (539 bytes) - added by ioerror 9 years ago.
pidgin-security-context.png (44.2 KB) - added by ioerror 7 years ago.
Tor/Privacy proxy screenshot of current Pidgin proxy dialog

Download all attachments as: .zip

Change History (42)

comment:1 Changed 9 years ago by ioerror

Jabber is handled in #1676

comment:2 Changed 9 years ago by ioerror

Owner: set to ioerror
Status: newassigned

comment:3 Changed 9 years ago by ioerror

IRC is handled in #2919

comment:4 Changed 9 years ago by ioerror

AIM is handled in #2920

comment:5 Changed 9 years ago by mikeperry

Component: - Select a componentTor bundles/installation
Description: modified (diff)

comment:6 Changed 9 years ago by mikeperry

Description: modified (diff)
Owner: changed from ioerror to mikeperry
Status: assignedaccepted

comment:7 Changed 9 years ago by mikeperry

Owner: changed from mikeperry to ioerror
Status: acceptedassigned

Thanks trac. Just assign the ticket to me automatically because I edited the description. That's great.

comment:8 Changed 9 years ago by mikeperry

The jabber/XMPP audit should also have a subticket, unless we're sure that the DNS leak is the only issue with all of the pidgin XMPP plugins?

comment:9 Changed 9 years ago by ioerror

We should specifically focus our audit on proxy compliance issues. timing information such as time zones, usernames, local host name leakage, etc

Configure each protocol to use Tor as a SOCKS5 proxy and then check:

  • Do we only send traffic over the proxy?
  • Do we leak DNS?
  • If the proxy is unreachable - do we fail closed?

The Pidgin we ship should disable any protocol support for information leaks - we should not give remote typing indications, etc.
There are some privacy issues that are unavoidable - any plugin (such as OTR) allows a remote party to illicit a client response will be able to calculate network latency. Some protocols allow this by default (IRC), others have this as matter of functionality (OTR) - we have to find those issues identify them.

comment:10 Changed 9 years ago by mikeperry

Ok, perhaps we have two levels of audit: one for proxy bypass and one for info leaks. We could then ship more protocols if we do a quick pass over the source and ensure no non-proxied network calls are made. Info leaks could be filed as bugs, but not blockers to shipping?

comment:11 in reply to:  10 Changed 9 years ago by ioerror

Replying to mikeperry:

Ok, perhaps we have two levels of audit: one for proxy bypass and one for info leaks. We could then ship more protocols if we do a quick pass over the source and ensure no non-proxied network calls are made. Info leaks could be filed as bugs, but not blockers to shipping?

I'm fine with that.

comment:12 Changed 9 years ago by ioerror

What other protocols and plugins are desired for this audit?

comment:13 Changed 9 years ago by mikeperry

I think protocols have enough behavioural reaction nonsense in them that we actually need to check the source for proxy bypass leaks rather than just blackbox + wireshark (ie direct connect, send file, voice/video, etc). Is grepping the plugin source for network socket syscalls a feasible idea? Does Pidgin export non-proxied versions of any of its network functions? It's been years since I looked at the source.

comment:14 in reply to:  13 Changed 9 years ago by ioerror

Replying to mikeperry:

I think protocols have enough behavioural reaction nonsense in them that we actually need to check the source for proxy bypass leaks rather than just blackbox + wireshark (ie direct connect, send file, voice/video, etc).

I agree - I've been reading the source and my Jabber patch for #1676 is the result.

Is grepping the plugin source for network socket syscalls a feasible idea? Does Pidgin export non-proxied versions of any of its network functions? It's been years since I looked at the source.

Yeah, you can go that route. I prefer to 0) think about the protocol in question: AIM vs XMPP? Very different DNS requirements 1) use the protocol with a debug window open, 2) use wireshark 3) narrow down the code path for leaks or 4) just read the entire protocol source plugin and perform 1-3 to confirm the patches or fixes work properly.

comment:15 Changed 9 years ago by ioerror

It looks like Pidgin has added a new proxy type: "Tor/Privacy":

Here's the patch set:
http://developer.pidgin.im/viewmtn/revision/info/075c2902b90abb6349a6b689e26fa0ecf720ca04

Here's the updated bug:
http://developer.pidgin.im/ticket/11110#comment:38

Helix - can you build from this?

Changed 9 years ago by ioerror

I've added two new configure flags for compile time hardening

comment:16 Changed 9 years ago by ioerror

I'm using this source created by Helix:

http://erinn.org/~e/pidgin.tgz
patch -p1 < ../../configure.ac-hardening.patch

I'm configuring like so:

./configure --disable-screensaver --disable-gstreamer --disable-vv --disable-idn --disable-meanwhile --disable-dbus --disable-perl --disable-tcl --enable-gnutls=no --enable-nss=yes --disable-consoleui --enable-gcc-hardening --enable-linker-hardening

I've tried to compile it but unlike the previous attempts - it fails:
{{{% make
cd . && /bin/bash ./config.status config.h
config.status: creating config.h
make all-recursive
make[1]: Entering directory `/tmp/pidgin-mtn'
Making all in .
make[2]: Entering directory `/tmp/pidgin-mtn'
LC_ALL=C /usr/bin/intltool-merge -d -u -c ./po/.intltool-merge-cache ./po pidgin.desktop.in pidgin.desktop
Generating and caching the translation database
Merging translations into pidgin.desktop.

GEN package_revision_raw.txt
GEN package_revision.h

make[2]: Leaving directory `/tmp/pidgin-mtn'
Making all in libpurple
make[2]: Entering directory `/tmp/pidgin-mtn/libpurple'
Makefile:909: .deps/account.Plo: No such file or directory
Makefile:910: .deps/accountopt.Plo: No such file or directory
Makefile:911: .deps/backend-fs2.Plo: No such file or directory
Makefile:912: .deps/backend-iface.Plo: No such file or directory
Makefile:913: .deps/blist.Plo: No such file or directory
Makefile:914: .deps/buddyicon.Plo: No such file or directory
Makefile:915: .deps/candidate.Plo: No such file or directory
Makefile:916: .deps/certificate.Plo: No such file or directory
Makefile:917: .deps/cipher.Plo: No such file or directory
Makefile:918: .deps/circbuffer.Plo: No such file or directory
Makefile:919: .deps/cmds.Plo: No such file or directory
Makefile:920: .deps/codec.Plo: No such file or directory
Makefile:921: .deps/connection.Plo: No such file or directory
Makefile:922: .deps/conversation.Plo: No such file or directory
Makefile:923: .deps/core.Plo: No such file or directory
Makefile:924: .deps/dbus-server.Plo: No such file or directory
Makefile:925: .deps/dbus-useful.Plo: No such file or directory
Makefile:926: .deps/debug.Plo: No such file or directory
Makefile:927: .deps/desktopitem.Plo: No such file or directory
Makefile:928: .deps/dnsquery.Plo: No such file or directory
Makefile:929: .deps/dnssrv.Plo: No such file or directory
Makefile:930: .deps/enum-types.Plo: No such file or directory
Makefile:931: .deps/eventloop.Plo: No such file or directory
Makefile:932: .deps/ft.Plo: No such file or directory
Makefile:933: .deps/idle.Plo: No such file or directory
Makefile:934: .deps/imgstore.Plo: No such file or directory
Makefile:935: .deps/log.Plo: No such file or directory
Makefile:936: .deps/marshallers.Plo: No such file or directory
Makefile:937: .deps/media.Plo: No such file or directory
Makefile:938: .deps/mediamanager.Plo: No such file or directory
Makefile:939: .deps/mime.Plo: No such file or directory
Makefile:940: .deps/nat-pmp.Plo: No such file or directory
Makefile:941: .deps/network.Plo: No such file or directory
Makefile:942: .deps/notify.Plo: No such file or directory
Makefile:943: .deps/ntlm.Plo: No such file or directory
Makefile:944: .deps/plugin.Plo: No such file or directory
Makefile:945: .deps/pluginpref.Plo: No such file or directory
Makefile:946: .deps/pounce.Plo: No such file or directory
Makefile:947: .deps/prefs.Plo: No such file or directory
Makefile:948: .deps/privacy.Plo: No such file or directory
Makefile:949: .deps/proxy.Plo: No such file or directory
Makefile:950: .deps/prpl.Plo: No such file or directory
Makefile:951: .deps/purple-client-example.Po: No such file or directory
Makefile:952: .deps/purple-client.Plo: No such file or directory
Makefile:953: .deps/request.Plo: No such file or directory
Makefile:954: .deps/roomlist.Plo: No such file or directory
Makefile:955: .deps/savedstatuses.Plo: No such file or directory
Makefile:956: .deps/server.Plo: No such file or directory
Makefile:957: .deps/signals.Plo: No such file or directory
Makefile:958: .deps/smiley.Plo: No such file or directory
Makefile:959: .deps/sound-theme-loader.Plo: No such file or directory
Makefile:960: .deps/sound-theme.Plo: No such file or directory
Makefile:961: .deps/sound.Plo: No such file or directory
Makefile:962: .deps/sslconn.Plo: No such file or directory
Makefile:963: .deps/status.Plo: No such file or directory
Makefile:964: .deps/stringref.Plo: No such file or directory
Makefile:965: .deps/stun.Plo: No such file or directory
Makefile:966: .deps/theme-loader.Plo: No such file or directory
Makefile:967: .deps/theme-manager.Plo: No such file or directory
Makefile:968: .deps/theme.Plo: No such file or directory
Makefile:969: .deps/upnp.Plo: No such file or directory
Makefile:970: .deps/util.Plo: No such file or directory
Makefile:971: .deps/value.Plo: No such file or directory
Makefile:972: .deps/version.Plo: No such file or directory
Makefile:973: .deps/whiteboard.Plo: No such file or directory
Makefile:974: .deps/xmlnode.Plo: No such file or directory
make[2]: * No rule to make target `.deps/xmlnode.Plo'. Stop.
make[2]: Leaving directory `/tmp/pidgin-mtn/libpurple'
make[1]:
* [all-recursive] Error 1
make[1]: Leaving directory `/tmp/pidgin-mtn'
make: * [all] Error 2
}}}

If I try to do it without my patch and configure it like so, it still fails:

./configure --disable-screensaver --disable-gstreamer --disable-vv --disable-idn --disable-meanwhile --disable-nm --disable-perl --disable-tcl

Configure complains about something new:

config.status: error: cannot find input file: `po/Makefile.in.in'

Here's the build failure:

make
cd . && /bin/bash ./config.status config.h
config.status: creating config.h
config.status: config.h is unchanged
make  all-recursive
make[1]: Entering directory `/tmp/pidgin-mtn'
Making all in .
make[2]: Entering directory `/tmp/pidgin-mtn'
  GEN    package_revision_raw.txt
  GEN    package_revision.h
make[2]: Leaving directory `/tmp/pidgin-mtn'
Making all in libpurple
make[2]: Entering directory `/tmp/pidgin-mtn/libpurple'
Makefile:909: .deps/account.Plo: No such file or directory
Makefile:910: .deps/accountopt.Plo: No such file or directory
Makefile:911: .deps/backend-fs2.Plo: No such file or directory
Makefile:912: .deps/backend-iface.Plo: No such file or directory
Makefile:913: .deps/blist.Plo: No such file or directory
Makefile:914: .deps/buddyicon.Plo: No such file or directory
Makefile:915: .deps/candidate.Plo: No such file or directory
Makefile:916: .deps/certificate.Plo: No such file or directory
Makefile:917: .deps/cipher.Plo: No such file or directory
Makefile:918: .deps/circbuffer.Plo: No such file or directory
Makefile:919: .deps/cmds.Plo: No such file or directory
Makefile:920: .deps/codec.Plo: No such file or directory
Makefile:921: .deps/connection.Plo: No such file or directory
Makefile:922: .deps/conversation.Plo: No such file or directory
Makefile:923: .deps/core.Plo: No such file or directory
Makefile:924: .deps/dbus-server.Plo: No such file or directory
Makefile:925: .deps/dbus-useful.Plo: No such file or directory
Makefile:926: .deps/debug.Plo: No such file or directory
Makefile:927: .deps/desktopitem.Plo: No such file or directory
Makefile:928: .deps/dnsquery.Plo: No such file or directory
Makefile:929: .deps/dnssrv.Plo: No such file or directory
Makefile:930: .deps/enum-types.Plo: No such file or directory
Makefile:931: .deps/eventloop.Plo: No such file or directory
Makefile:932: .deps/ft.Plo: No such file or directory
Makefile:933: .deps/idle.Plo: No such file or directory
Makefile:934: .deps/imgstore.Plo: No such file or directory
Makefile:935: .deps/log.Plo: No such file or directory
Makefile:936: .deps/marshallers.Plo: No such file or directory
Makefile:937: .deps/media.Plo: No such file or directory
Makefile:938: .deps/mediamanager.Plo: No such file or directory
Makefile:939: .deps/mime.Plo: No such file or directory
Makefile:940: .deps/nat-pmp.Plo: No such file or directory
Makefile:941: .deps/network.Plo: No such file or directory
Makefile:942: .deps/notify.Plo: No such file or directory
Makefile:943: .deps/ntlm.Plo: No such file or directory
Makefile:944: .deps/plugin.Plo: No such file or directory
Makefile:945: .deps/pluginpref.Plo: No such file or directory
Makefile:946: .deps/pounce.Plo: No such file or directory
Makefile:947: .deps/prefs.Plo: No such file or directory
Makefile:948: .deps/privacy.Plo: No such file or directory
Makefile:949: .deps/proxy.Plo: No such file or directory
Makefile:950: .deps/prpl.Plo: No such file or directory
Makefile:951: .deps/purple-client-example.Po: No such file or directory
Makefile:952: .deps/purple-client.Plo: No such file or directory
Makefile:953: .deps/request.Plo: No such file or directory
Makefile:954: .deps/roomlist.Plo: No such file or directory
Makefile:955: .deps/savedstatuses.Plo: No such file or directory
Makefile:956: .deps/server.Plo: No such file or directory
Makefile:957: .deps/signals.Plo: No such file or directory
Makefile:958: .deps/smiley.Plo: No such file or directory
Makefile:959: .deps/sound-theme-loader.Plo: No such file or directory
Makefile:960: .deps/sound-theme.Plo: No such file or directory
Makefile:961: .deps/sound.Plo: No such file or directory
Makefile:962: .deps/sslconn.Plo: No such file or directory
Makefile:963: .deps/status.Plo: No such file or directory
Makefile:964: .deps/stringref.Plo: No such file or directory
Makefile:965: .deps/stun.Plo: No such file or directory
Makefile:966: .deps/theme-loader.Plo: No such file or directory
Makefile:967: .deps/theme-manager.Plo: No such file or directory
Makefile:968: .deps/theme.Plo: No such file or directory
Makefile:969: .deps/upnp.Plo: No such file or directory
Makefile:970: .deps/util.Plo: No such file or directory
Makefile:971: .deps/value.Plo: No such file or directory
Makefile:972: .deps/version.Plo: No such file or directory
Makefile:973: .deps/whiteboard.Plo: No such file or directory
Makefile:974: .deps/xmlnode.Plo: No such file or directory
make[2]: *** No rule to make target `.deps/xmlnode.Plo'.  Stop.
make[2]: Leaving directory `/tmp/pidgin-mtn/libpurple'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/pidgin-mtn'
make: *** [all] Error 2

comment:17 Changed 9 years ago by ioerror

I'm using this source created by Helix:

http://erinn.org/~e/pidgin.tgz
patch -p1 < ../../configure.ac-hardening.patch

I'm configuring like so:

./configure --disable-screensaver --disable-gstreamer --disable-vv --disable-idn --disable-meanwhile --disable-dbus --disable-perl --disable-tcl --enable-gnutls=no --enable-nss=yes --disable-consoleui --enable-gcc-hardening --enable-linker-hardening

I've tried to compile it but unlike the previous attempts - it fails:

% make
cd . && /bin/bash ./config.status config.h
config.status: creating config.h
make  all-recursive
make[1]: Entering directory `/tmp/pidgin-mtn'
Making all in .
make[2]: Entering directory `/tmp/pidgin-mtn'
LC_ALL=C /usr/bin/intltool-merge -d -u -c ./po/.intltool-merge-cache ./po pidgin.desktop.in pidgin.desktop
Generating and caching the translation database
Merging translations into pidgin.desktop.
  GEN    package_revision_raw.txt
  GEN    package_revision.h
make[2]: Leaving directory `/tmp/pidgin-mtn'
Making all in libpurple
make[2]: Entering directory `/tmp/pidgin-mtn/libpurple'
Makefile:909: .deps/account.Plo: No such file or directory
Makefile:910: .deps/accountopt.Plo: No such file or directory
Makefile:911: .deps/backend-fs2.Plo: No such file or directory
Makefile:912: .deps/backend-iface.Plo: No such file or directory
Makefile:913: .deps/blist.Plo: No such file or directory
Makefile:914: .deps/buddyicon.Plo: No such file or directory
Makefile:915: .deps/candidate.Plo: No such file or directory
Makefile:916: .deps/certificate.Plo: No such file or directory
Makefile:917: .deps/cipher.Plo: No such file or directory
Makefile:918: .deps/circbuffer.Plo: No such file or directory
Makefile:919: .deps/cmds.Plo: No such file or directory
Makefile:920: .deps/codec.Plo: No such file or directory
Makefile:921: .deps/connection.Plo: No such file or directory
Makefile:922: .deps/conversation.Plo: No such file or directory
Makefile:923: .deps/core.Plo: No such file or directory
Makefile:924: .deps/dbus-server.Plo: No such file or directory
Makefile:925: .deps/dbus-useful.Plo: No such file or directory
Makefile:926: .deps/debug.Plo: No such file or directory
Makefile:927: .deps/desktopitem.Plo: No such file or directory
Makefile:928: .deps/dnsquery.Plo: No such file or directory
Makefile:929: .deps/dnssrv.Plo: No such file or directory
Makefile:930: .deps/enum-types.Plo: No such file or directory
Makefile:931: .deps/eventloop.Plo: No such file or directory
Makefile:932: .deps/ft.Plo: No such file or directory
Makefile:933: .deps/idle.Plo: No such file or directory
Makefile:934: .deps/imgstore.Plo: No such file or directory
Makefile:935: .deps/log.Plo: No such file or directory
Makefile:936: .deps/marshallers.Plo: No such file or directory
Makefile:937: .deps/media.Plo: No such file or directory
Makefile:938: .deps/mediamanager.Plo: No such file or directory
Makefile:939: .deps/mime.Plo: No such file or directory
Makefile:940: .deps/nat-pmp.Plo: No such file or directory
Makefile:941: .deps/network.Plo: No such file or directory
Makefile:942: .deps/notify.Plo: No such file or directory
Makefile:943: .deps/ntlm.Plo: No such file or directory
Makefile:944: .deps/plugin.Plo: No such file or directory
Makefile:945: .deps/pluginpref.Plo: No such file or directory
Makefile:946: .deps/pounce.Plo: No such file or directory
Makefile:947: .deps/prefs.Plo: No such file or directory
Makefile:948: .deps/privacy.Plo: No such file or directory
Makefile:949: .deps/proxy.Plo: No such file or directory
Makefile:950: .deps/prpl.Plo: No such file or directory
Makefile:951: .deps/purple-client-example.Po: No such file or directory
Makefile:952: .deps/purple-client.Plo: No such file or directory
Makefile:953: .deps/request.Plo: No such file or directory
Makefile:954: .deps/roomlist.Plo: No such file or directory
Makefile:955: .deps/savedstatuses.Plo: No such file or directory
Makefile:956: .deps/server.Plo: No such file or directory
Makefile:957: .deps/signals.Plo: No such file or directory
Makefile:958: .deps/smiley.Plo: No such file or directory
Makefile:959: .deps/sound-theme-loader.Plo: No such file or directory
Makefile:960: .deps/sound-theme.Plo: No such file or directory
Makefile:961: .deps/sound.Plo: No such file or directory
Makefile:962: .deps/sslconn.Plo: No such file or directory
Makefile:963: .deps/status.Plo: No such file or directory
Makefile:964: .deps/stringref.Plo: No such file or directory
Makefile:965: .deps/stun.Plo: No such file or directory
Makefile:966: .deps/theme-loader.Plo: No such file or directory
Makefile:967: .deps/theme-manager.Plo: No such file or directory
Makefile:968: .deps/theme.Plo: No such file or directory
Makefile:969: .deps/upnp.Plo: No such file or directory
Makefile:970: .deps/util.Plo: No such file or directory
Makefile:971: .deps/value.Plo: No such file or directory
Makefile:972: .deps/version.Plo: No such file or directory
Makefile:973: .deps/whiteboard.Plo: No such file or directory
Makefile:974: .deps/xmlnode.Plo: No such file or directory
make[2]: *** No rule to make target `.deps/xmlnode.Plo'.  Stop.
make[2]: Leaving directory `/tmp/pidgin-mtn/libpurple'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/pidgin-mtn'
make: *** [all] Error 2

If I try to do it without my patch and configure it like so, it still fails:

./configure --disable-screensaver --disable-gstreamer --disable-vv --disable-idn --disable-meanwhile --disable-nm --disable-perl --disable-tcl

Configure complains about something new:

config.status: error: cannot find input file: `po/Makefile.in.in'

Here's the build failure:

make
cd . && /bin/bash ./config.status config.h
config.status: creating config.h
config.status: config.h is unchanged
make  all-recursive
make[1]: Entering directory `/tmp/pidgin-mtn'
Making all in .
make[2]: Entering directory `/tmp/pidgin-mtn'
  GEN    package_revision_raw.txt
  GEN    package_revision.h
make[2]: Leaving directory `/tmp/pidgin-mtn'
Making all in libpurple
make[2]: Entering directory `/tmp/pidgin-mtn/libpurple'
Makefile:909: .deps/account.Plo: No such file or directory
Makefile:910: .deps/accountopt.Plo: No such file or directory
Makefile:911: .deps/backend-fs2.Plo: No such file or directory
Makefile:912: .deps/backend-iface.Plo: No such file or directory
Makefile:913: .deps/blist.Plo: No such file or directory
Makefile:914: .deps/buddyicon.Plo: No such file or directory
Makefile:915: .deps/candidate.Plo: No such file or directory
Makefile:916: .deps/certificate.Plo: No such file or directory
Makefile:917: .deps/cipher.Plo: No such file or directory
Makefile:918: .deps/circbuffer.Plo: No such file or directory
Makefile:919: .deps/cmds.Plo: No such file or directory
Makefile:920: .deps/codec.Plo: No such file or directory
Makefile:921: .deps/connection.Plo: No such file or directory
Makefile:922: .deps/conversation.Plo: No such file or directory
Makefile:923: .deps/core.Plo: No such file or directory
Makefile:924: .deps/dbus-server.Plo: No such file or directory
Makefile:925: .deps/dbus-useful.Plo: No such file or directory
Makefile:926: .deps/debug.Plo: No such file or directory
Makefile:927: .deps/desktopitem.Plo: No such file or directory
Makefile:928: .deps/dnsquery.Plo: No such file or directory
Makefile:929: .deps/dnssrv.Plo: No such file or directory
Makefile:930: .deps/enum-types.Plo: No such file or directory
Makefile:931: .deps/eventloop.Plo: No such file or directory
Makefile:932: .deps/ft.Plo: No such file or directory
Makefile:933: .deps/idle.Plo: No such file or directory
Makefile:934: .deps/imgstore.Plo: No such file or directory
Makefile:935: .deps/log.Plo: No such file or directory
Makefile:936: .deps/marshallers.Plo: No such file or directory
Makefile:937: .deps/media.Plo: No such file or directory
Makefile:938: .deps/mediamanager.Plo: No such file or directory
Makefile:939: .deps/mime.Plo: No such file or directory
Makefile:940: .deps/nat-pmp.Plo: No such file or directory
Makefile:941: .deps/network.Plo: No such file or directory
Makefile:942: .deps/notify.Plo: No such file or directory
Makefile:943: .deps/ntlm.Plo: No such file or directory
Makefile:944: .deps/plugin.Plo: No such file or directory
Makefile:945: .deps/pluginpref.Plo: No such file or directory
Makefile:946: .deps/pounce.Plo: No such file or directory
Makefile:947: .deps/prefs.Plo: No such file or directory
Makefile:948: .deps/privacy.Plo: No such file or directory
Makefile:949: .deps/proxy.Plo: No such file or directory
Makefile:950: .deps/prpl.Plo: No such file or directory
Makefile:951: .deps/purple-client-example.Po: No such file or directory
Makefile:952: .deps/purple-client.Plo: No such file or directory
Makefile:953: .deps/request.Plo: No such file or directory
Makefile:954: .deps/roomlist.Plo: No such file or directory
Makefile:955: .deps/savedstatuses.Plo: No such file or directory
Makefile:956: .deps/server.Plo: No such file or directory
Makefile:957: .deps/signals.Plo: No such file or directory
Makefile:958: .deps/smiley.Plo: No such file or directory
Makefile:959: .deps/sound-theme-loader.Plo: No such file or directory
Makefile:960: .deps/sound-theme.Plo: No such file or directory
Makefile:961: .deps/sound.Plo: No such file or directory
Makefile:962: .deps/sslconn.Plo: No such file or directory
Makefile:963: .deps/status.Plo: No such file or directory
Makefile:964: .deps/stringref.Plo: No such file or directory
Makefile:965: .deps/stun.Plo: No such file or directory
Makefile:966: .deps/theme-loader.Plo: No such file or directory
Makefile:967: .deps/theme-manager.Plo: No such file or directory
Makefile:968: .deps/theme.Plo: No such file or directory
Makefile:969: .deps/upnp.Plo: No such file or directory
Makefile:970: .deps/util.Plo: No such file or directory
Makefile:971: .deps/value.Plo: No such file or directory
Makefile:972: .deps/version.Plo: No such file or directory
Makefile:973: .deps/whiteboard.Plo: No such file or directory
Makefile:974: .deps/xmlnode.Plo: No such file or directory
make[2]: *** No rule to make target `.deps/xmlnode.Plo'.  Stop.
make[2]: Leaving directory `/tmp/pidgin-mtn/libpurple'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/pidgin-mtn'
make: *** [all] Error 2

comment:18 Changed 9 years ago by ioerror

Doh - the answer was to call their autogen.sh!

comment:19 Changed 9 years ago by ioerror

This should give you a working Pidgin with Tor/privacy proxy support:

  cd /tmp/
  tar -xvzf pidgin.tgz
  cd pidgin-mtn
  patch -p1 < ../configure.ac-hardening.patch
  ./autogen.sh
  ./configure --disable-screensaver --disable-gstreamer --disable-vv --disable-idn --disable-meanwhile --disable-dbus --disable-perl --disable-tcl --enable-gnutls=no --enable-nss=yes --disable-consoleui --enable-gcc-hardening --enable-linker-hardening
  time make

comment:20 Changed 9 years ago by ioerror

I suspect we want to disable a lot more functionality. Gestures, gadugadu, etc.

comment:21 Changed 9 years ago by ioerror

I've submitted my patch for the new configure items here:
http://developer.pidgin.im/ticket/13879

Changed 9 years ago by ioerror

Attachment: libpurple-proxy.h.patch added

comment:22 Changed 9 years ago by ioerror

You'll need to apply the above libpurple-proxy.h patch too or the new "Tor/Privacy" proxy won't work at all.

comment:23 Changed 8 years ago by mikeperry

FYI: If we ever get around to grepping the source for proxy bypass issues, we should publish the scripts/regexes we use to do so. We'll probably miss a few things with the first pass audit doing this.

comment:24 Changed 8 years ago by ioerror

Pidgin has a new release out and it includes all of the proxy stuff.

comment:25 Changed 8 years ago by rransom

Type: defectproject

comment:26 Changed 8 years ago by erinn

Hello esteemed colleagues,

I have a pidgin build for Windows with only jabber, aim, and irc. Please give it a try:

http://erinn.org/~e/pidgin-2.10.0-tor.exe

a46a48d84958a1ada15bb9f966266a20d1752f2f37ff741fef72853a91daa0e1 pidgin-2.10.0-tor.exe

This isn't preconfigured with the proxy set to Tor -- I have to either do that separately at TBB build time or look into doing it at pidgin's build time, so you'll have to configure it yourself to test the protocols.

comment:27 Changed 8 years ago by erinn

Status: assignedneeds_review

http://erinn.org/~e/tor-im-browser-2.2.33-3-UNOFFICIAL_en-US.exe

a66d61904429d9d459fcead5d8bbc57bc5173f0f43727b77a9d7c062504c2550 tor-im-browser-2.2.33-3-UNOFFICIAL_en-US.exe

comment:28 Changed 8 years ago by ioerror

We probably need to either hack up Pidgin/libpurple/libotr to avoid these kinds of notification bugs that may result in plaintext data on disk:
http://trac.adium.im/ticket/15868
http://census-labs.com/news/2012/02/25/pidgin-otr-info-leak/

comment:29 Changed 8 years ago by ioerror

So it's absolutely annoying but disabling DBUS support in Pidgin is a reasonable stopgap to ensure that pidgin/libpurple won't send private information to DBUS.

comment:30 in reply to:  28 Changed 8 years ago by rransom

Replying to ioerror:

We probably need to either hack up Pidgin/libpurple/libotr to avoid these kinds of notification bugs that may result in plaintext data on disk:

We don't, because we weren't going to build DBUS for Windows anyway, and we aren't going to ship any third-party notification plugins in TIMBB.

comment:31 Changed 8 years ago by StrangeCharm

Cc: StrangeCharm added

comment:32 Changed 8 years ago by xnyhps

Cc: tor@… added

comment:33 Changed 8 years ago by hellais

Can somebody test if a similar bug exists inside of pidgin too: http://trac.adium.im/ticket/15957?

comment:34 Changed 7 years ago by Shondoit

Cc: Shondoit added

Changed 7 years ago by ioerror

Attachment: pidgin-security-context.png added

Tor/Privacy proxy screenshot of current Pidgin proxy dialog

comment:35 Changed 7 years ago by ioerror

I've just uploaded a screenshot that shows the Tor/Privacy proxy setting in the current Pidgin releases. It does what we want and I think it is a good example of contextual security awareness by an application. It fails closed if the configured proxy settings are incorrect or if the proxy is down, etc.

comment:36 Changed 5 years ago by cypherpunks

Component: Tor bundles/installationTor Messenger

comment:37 Changed 5 years ago by cypherpunks

Can we close this or is it still relevant? (considering TorMessenger won't be based on Pidgin)

comment:38 Changed 5 years ago by arlolra

Resolution: invalid
Status: needs_reviewclosed

We can close it.

comment:39 Changed 14 months ago by traumschule

<+sukhe> hello. yes, I think it's fine to close the tickets. thanks for doing what we should done earlier :)

sad but true:
https://blog.torproject.org/sunsetting-tor-messenger

luckily there are alternatives:
https://blog.torproject.org/tor-heart-onion-messaging

.. and maybe someday

Note: See TracTickets for help on using tickets.