Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Dec 2016 06:53:15 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE Request: MCabber: remote attackers can modify the roster and
 intercept messages via a crafted roster-push IQ stanza

Hi,

On Sun, Dec 11, 2016 at 05:29:13PM -0500, cve-assign@...re.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> > Sam Whited discovered that MCabber versions 1.0.3 and before, was
> > vulnerable to an attack identical to Gajim's CVE-2015-8688 which
> > can lead to a malicious actor MITMing a conversation, or adding
> > themselves as an entity on a third parties roster (thereby granting
> > themselves the associated privileges
> > 
> > https://gultsch.de/gajim_roster_push_and_message_interception.html
> > https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw
> > https://bugs.debian.org/845258
> 
> Use CVE-2016-9928.

Thanks.

> At present, we do not understand whether the behavior of other
> mentioned products, such as slixmpp and SleekXMPP, should be
> considered a vulnerability. If the situation is essentially "the
> product could be improved to make it less likely for third-party code
> authors to accidentally create an unsafe interaction," then typically
> a CVE ID is not required.
> 
> However, if (for example) there is going to be a DSA for the
> python-sleekxmpp and python3-sleekxmpp packages, then we can assign an
> ID. As far as we can tell, the python3-slixmpp* packages are not
> available in jessie, and poezio is packaged for Fedora but not for any
> Debian distribution.

Just to confirm, we do not plan to issue a DSA for the above.

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ