Date: Sat, 10 Dec 2016 01:49:34 +0100 From: Mathieu Pasquet <mathieui@...hieui.net> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza On Fri, Dec 09, 2016 at 09:19:06PM +0100, Salvatore Bonaccorso wrote: > Hi > > Sam Whited discovered that MCabber versions 1.0.3 and before, was > vulnerable to an attack identical to Gajim's CVE-2015-8688  which > can lead to a malicious actor MITMing a conversation, or adding > themselves as an entity on a third parties roster (thereby granting > themselves the associated priviledges such as observing when the user > is online). > > The issue was fixed in the 1.0.4 release, with patch found at . > > Can a CVE be assigned for this issue? > > Regards, > Salvatore > >  https://gultsch.de/gajim_roster_push_and_message_interception.html >  https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw >  https://bugs.debian.org/845258 Hello, I would like to mention that when Sam mentioned it to the MCabber team, I investigated the slixmpp  codebase to see if we we were equally vulnerable. It appeared that the default roster mechanism already has a check in place, but it creates a general event before then, which could be received by another handler to re-implement a Roster differently (like we do in poezio ). This specific bug has been corrected in  and , which are available in slixmpp 1.2.3 (all previous versions are affected). I’m not sure if this specific part warrants a CVE, as it is quite a specific case (but people could send arbitrary roster pushes to poezio before then), but I thought it would be good to mention. If it is considered a real security flaw, I have to say that SleekXMPP   is also affected, and I will patch it if needed. Regards, Mathieu  https://github.com/poezio/slixmpp  https://github.com/poezio/poezio / https://poez.io  https://git.louiz.org/slixmpp/commit/?id=ffdb6ffd69522bb14760eca196511ac69a158831  https://git.louiz.org/slixmpp/commit/?id=ffd9436e5cca9f92ed11683173a696972da2360b  https://github.com/fritzy/SleekXMPP  https://github.com/fritzy/SleekXMPP/blob/develop/sleekxmpp/clientxmpp.py#L112-L115 -- Mathieu Pasquet (mathieui) [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ