Ubuntu
kopete package

[SECURITY VULNERABILITY] CVE 2017-5593: User Impersonation Vulnerability in Jabber protocol

Bug #1663950 reported by Simon Quigley
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kopete (Ubuntu)
Fix Released
Medium
Simon Quigley

Bug Description

An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.

Email[1] informing us of this:

I need to inform you that jabber protocol in Kopete is vulnerable to
CVE-2017-5593 (User Impersonation Vulnerability) due to defect in
underlying Psi xmpp library libiris -- which is part of Kopete source
tree. Note that Kopete is vulnerable even it does not support XEP-0280:
Message Carbons yet (because defect is in libiris).

All Kopete versions which are part of KDE 16.11.80 (and new) are
affected.

Backported fix for libiris is now in Application/16.12 branch in commit
https://commits.kde.org/kopete/6243764c4fd0985320d4a10b48051cc418d584ad

And so fix will be part of KDE 16.12.3 (Kopete 1.11.3).

More information at:
https://bugs.kde.org/show_bug.cgi?id=376348
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5593
http://seclists.org/oss-sec/2017/q1/373
https://github.com/psi-im/iris/pull/47/commits/02e976d4426a1319a7af7d26d7aba9d8c6077570

[1] https://mail.kde.org/pipermail/release-team/2017-February/010088.html

Tags: patch

CVE References

Simon Quigley (tsimonq2)
summary: [SECURITY VULNERABILITY] CVE 2017-5593: User Impersonation Vulnerability
- in Jabber protocolUser Impersonation Vulnerability in Jabber protocol
+ in Jabber protocol
Changed in kopete (Ubuntu):
assignee: nobody → Simon Quigley (tsimonq2)
status: New → In Progress
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Attached is a patch applicable to 16.12.1-0ubuntu2.

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "ubuntu2-to-ubuntu3.patch" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Mathew Hodson (mhodson)
Changed in kopete (Ubuntu):
importance: Undecided → Medium
Robie Basak (racb)
Changed in kopete (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package kopete - 4:16.12.1-0ubuntu3

---------------
kopete (4:16.12.1-0ubuntu3) zesty; urgency=medium

  * SECURITY UPDATE: User Impersonation Vulnerability in Jabber protocol
    (LP: #1663950)
   - CVE-2017-5593-User-Impersonation-Vulnerability-in-Jabber-protocol.patch
   - CVE-2017-5593

 -- Simon Quigley <email address hidden> Sat, 11 Feb 2017 18:19:49 -0600

Changed in kopete (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.