Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Dec 2016 01:49:34 +0100
From: Mathieu Pasquet <>
Subject: Re: CVE Request: MCabber: remote attackers can modify
 the roster and intercept messages via a crafted roster-push IQ stanza

On Fri, Dec 09, 2016 at 09:19:06PM +0100, Salvatore Bonaccorso wrote:
> Hi
> Sam Whited discovered that MCabber versions 1.0.3 and before, was
> vulnerable to an attack identical to Gajim's CVE-2015-8688 [1] which
> can lead to a malicious actor MITMing a conversation, or adding
> themselves as an entity on a third parties roster (thereby granting
> themselves the associated priviledges such as observing when the user
> is online).
> The issue was fixed in the 1.0.4 release, with patch found at [2].
> Can a CVE be assigned for this issue?
> Regards,
> Salvatore
>  [1]
>  [2]

>  [3]


I would like to mention that when Sam mentioned it to the MCabber team,
I investigated the slixmpp [1] codebase to see if we we were equally
vulnerable. It appeared that the default roster mechanism already has a
check in place, but it creates a general event before then, which could
be received by another handler to re-implement a Roster differently
(like we do in poezio [2]).

This specific bug has been corrected in [3] and [4], which are available
in slixmpp 1.2.3 (all previous versions are affected).

I’m not sure if this specific part warrants a CVE, as it is quite a
specific case (but people could send arbitrary roster pushes to poezio
before then), but I thought it would be good to mention. If it is
considered a real security flaw, I have to say that SleekXMPP [5] [6] is
also affected, and I will patch it if needed.


 [2] /

Mathieu Pasquet (mathieui)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ