Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20161209201906.ltauap7fydkc62f6@eldamar.local>
Date: Fri, 9 Dec 2016 21:19:06 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: MCabber: remote attackers can modify the roster and
 intercept messages via a crafted roster-push IQ stanza

Hi

Sam Whited discovered that MCabber versions 1.0.3 and before, was
vulnerable to an attack identical to Gajim's CVE-2015-8688 [1] which
can lead to a malicious actor MITMing a conversation, or adding
themselves as an entity on a third parties roster (thereby granting
themselves the associated priviledges such as observing when the user
is online).

The issue was fixed in the 1.0.4 release, with patch found at [2].

Can a CVE be assigned for this issue?

Regards,
Salvatore

 [1] https://gultsch.de/gajim_roster_push_and_message_interception.html
 [2] https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw
 [3] https://bugs.debian.org/845258

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.