[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-release-team
Subject:    Kopete: CVE 2017-5593 (User Impersonation Vulnerability)
From:       Pali =?utf-8?q?Roh=C3=A1r?= <pali.rohar () gmail ! com>
Date:       2017-02-11 12:59:01
Message-ID: 201702111359.01422 () pali
[Download RAW message or body]


Hello!

I need to inform you that jabber protocol in Kopete is vulnerable to 
CVE-2017-5593 (User Impersonation Vulnerability) due to defect in 
underlying Psi xmpp library libiris -- which is part of Kopete source 
tree. Note that Kopete is vulnerable even it does not support XEP-0280: 
Message Carbons yet (because defect is in libiris).

All Kopete versions which are part of KDE 16.11.80 (and new) are 
affected.

Backported fix for libiris is now in Application/16.12 branch in commit 
https://commits.kde.org/kopete/6243764c4fd0985320d4a10b48051cc418d584ad

And so fix will be part of KDE 16.12.3 (Kopete 1.11.3).

More information at:
https://bugs.kde.org/show_bug.cgi?id=376348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5593
http://seclists.org/oss-sec/2017/q1/373
https://github.com/psi-im/iris/pull/47/commits/02e976d4426a1319a7af7d26d7aba9d8c6077570

-- 
Pali Rohár
pali.rohar@gmail.com

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]