'Re: Kopete: CVE 2017-5593 (User Impersonation Vulnerability)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-release-team
Subject:    Re: Kopete: CVE 2017-5593 (User Impersonation Vulnerability)
From:       Albert Astals Cid <aacid () kde ! org>
Date:       2017-02-13 23:07:46
Message-ID: 3282368.lcfoyJYpBW () xps
[Download RAW message or body]

El dissabte, 11 de febrer de 2017, a les 13:59:01 CET, Pali Rohár va escriure:
> Hello!
> 
> I need to inform you that jabber protocol in Kopete is vulnerable to
> CVE-2017-5593 (User Impersonation Vulnerability) due to defect in
> underlying Psi xmpp library libiris -- which is part of Kopete source
> tree. Note that Kopete is vulnerable even it does not support XEP-0280:
> Message Carbons yet (because defect is in libiris).

This shows we should not be embedding libiris, is this something that can be 
worked on?

Cheers,
  Albert

> 
> All Kopete versions which are part of KDE 16.11.80 (and new) are
> affected.
> 
> Backported fix for libiris is now in Application/16.12 branch in commit
> https://commits.kde.org/kopete/6243764c4fd0985320d4a10b48051cc418d584ad
> 
> And so fix will be part of KDE 16.12.3 (Kopete 1.11.3).
> 
> More information at:
> https://bugs.kde.org/show_bug.cgi?id=376348
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5593
> http://seclists.org/oss-sec/2017/q1/373
> https://github.com/psi-im/iris/pull/47/commits/02e976d4426a1319a7af7d26d7aba
> 9d8c6077570


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic