oss-sec mailing list archives
Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza
From: Salvatore Bonaccorso <carnil () debian org>
Date: Tue, 13 Dec 2016 06:53:15 +0100
Hi, On Sun, Dec 11, 2016 at 05:29:13PM -0500, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256Sam Whited discovered that MCabber versions 1.0.3 and before, was vulnerable to an attack identical to Gajim's CVE-2015-8688 which can lead to a malicious actor MITMing a conversation, or adding themselves as an entity on a third parties roster (thereby granting themselves the associated privileges https://gultsch.de/gajim_roster_push_and_message_interception.html https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw https://bugs.debian.org/845258Use CVE-2016-9928.
Thanks.
At present, we do not understand whether the behavior of other mentioned products, such as slixmpp and SleekXMPP, should be considered a vulnerability. If the situation is essentially "the product could be improved to make it less likely for third-party code authors to accidentally create an unsafe interaction," then typically a CVE ID is not required. However, if (for example) there is going to be a DSA for the python-sleekxmpp and python3-sleekxmpp packages, then we can assign an ID. As far as we can tell, the python3-slixmpp* packages are not available in jessie, and poezio is packaged for Fedora but not for any Debian distribution.
Just to confirm, we do not plan to issue a DSA for the above. Regards, Salvatore
Current thread:
- CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 09)
- Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Mathieu Pasquet (Dec 09)
- Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza cve-assign (Dec 11)
- Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Sam Whited (Dec 12)
- Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Sam Whited (Dec 12)
- Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 14)
- Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Sam Whited (Dec 12)
- Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 12)