Date: Sat, 10 Dec 2016 01:49:34 +0100 From: Mathieu Pasquet <mathieui@...hieui.net> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza On Fri, Dec 09, 2016 at 09:19:06PM +0100, Salvatore Bonaccorso wrote: > Hi > > Sam Whited discovered that MCabber versions 1.0.3 and before, was > vulnerable to an attack identical to Gajim's CVE-2015-8688  which > can lead to a malicious actor MITMing a conversation, or adding > themselves as an entity on a third parties roster (thereby granting > themselves the associated priviledges such as observing when the user > is online). > > The issue was fixed in the 1.0.4 release, with patch found at . > > Can a CVE be assigned for this issue? > > Regards, > Salvatore > >  https://gultsch.de/gajim_roster_push_and_message_interception.html >  https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw >  https://bugs.debian.org/845258 Hello, I would like to mention that when Sam mentioned it to the MCabber team, I investigated the slixmpp  codebase to see if we we were equally vulnerable. It appeared that the default roster mechanism already has a check in place, but it creates a general event before then, which could be received by another handler to re-implement a Roster differently (like we do in poezio ). This specific bug has been corrected in  and , which are available in slixmpp 1.2.3 (all previous versions are affected). I’m not sure if this specific part warrants a CVE, as it is quite a specific case (but people could send arbitrary roster pushes to poezio before then), but I thought it would be good to mention. If it is considered a real security flaw, I have to say that SleekXMPP   is also affected, and I will patch it if needed. Regards, Mathieu  https://github.com/poezio/slixmpp  https://github.com/poezio/poezio / https://poez.io  https://git.louiz.org/slixmpp/commit/?id=ffdb6ffd69522bb14760eca196511ac69a158831  https://git.louiz.org/slixmpp/commit/?id=ffd9436e5cca9f92ed11683173a696972da2360b  https://github.com/fritzy/SleekXMPP  https://github.com/fritzy/SleekXMPP/blob/develop/sleekxmpp/clientxmpp.py#L112-L115 -- Mathieu Pasquet (mathieui) Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.