[SECURITY VULNERABILITY] CVE 2017-5593: User Impersonation Vulnerability in Jabber protocol
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kopete (Ubuntu) |
Fix Released
|
Medium
|
Simon Quigley |
Bug Description
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks.
Email[1] informing us of this:
I need to inform you that jabber protocol in Kopete is vulnerable to
CVE-2017-5593 (User Impersonation Vulnerability) due to defect in
underlying Psi xmpp library libiris -- which is part of Kopete source
tree. Note that Kopete is vulnerable even it does not support XEP-0280:
Message Carbons yet (because defect is in libiris).
All Kopete versions which are part of KDE 16.11.80 (and new) are
affected.
Backported fix for libiris is now in Application/16.12 branch in commit
https:/
And so fix will be part of KDE 16.12.3 (Kopete 1.11.3).
More information at:
https:/
http://
http://
https:/
[1] https:/
CVE References
summary: |
[SECURITY VULNERABILITY] CVE 2017-5593: User Impersonation Vulnerability - in Jabber protocolUser Impersonation Vulnerability in Jabber protocol + in Jabber protocol |
Changed in kopete (Ubuntu): | |
assignee: | nobody → Simon Quigley (tsimonq2) |
status: | New → In Progress |
information type: | Private Security → Public Security |
Changed in kopete (Ubuntu): | |
importance: | Undecided → Medium |
Changed in kopete (Ubuntu): | |
status: | In Progress → Fix Committed |
Attached is a patch applicable to 16.12.1-0ubuntu2.