oss-sec mailing list archives

CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza

From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 9 Dec 2016 21:19:06 +0100

Hi

Sam Whited discovered that MCabber versions 1.0.3 and before, was
vulnerable to an attack identical to Gajim's CVE-2015-8688 [1] which
can lead to a malicious actor MITMing a conversation, or adding
themselves as an entity on a third parties roster (thereby granting
themselves the associated priviledges such as observing when the user
is online).

The issue was fixed in the 1.0.4 release, with patch found at [2].

Can a CVE be assigned for this issue?

Regards,
Salvatore

 [1] https://gultsch.de/gajim_roster_push_and_message_interception.html
 [2] https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw
 [3] https://bugs.debian.org/845258

Current thread:

CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 09)
- Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Mathieu Pasquet (Dec 09)
- Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza cve-assign (Dec 11)
  - Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Sam Whited (Dec 12)
    - Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Sam Whited (Dec 12)
    - Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 14)
  - Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 12)