Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza

[Salvatore Bonaccorso <carnil () debian org>]

Hi,

On Sun, Dec 11, 2016 at 05:29:13PM -0500, cve-assign () mitre org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Sam Whited discovered that MCabber versions 1.0.3 and before, was
> > vulnerable to an attack identical to Gajim's CVE-2015-8688 which
> > can lead to a malicious actor MITMing a conversation, or adding
> > themselves as an entity on a third parties roster (thereby granting
> > themselves the associated privileges
> >
> > https://gultsch.de/gajim_roster_push_and_message_interception.html
> > https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw
> > https://bugs.debian.org/845258
>
> Use CVE-2016-9928.

Thanks.

> At present, we do not understand whether the behavior of other
> mentioned products, such as slixmpp and SleekXMPP, should be
> considered a vulnerability. If the situation is essentially "the
> product could be improved to make it less likely for third-party code
> authors to accidentally create an unsafe interaction," then typically
> a CVE ID is not required.
>
> However, if (for example) there is going to be a DSA for the
> python-sleekxmpp and python3-sleekxmpp packages, then we can assign an
> ID. As far as we can tell, the python3-slixmpp* packages are not
> available in jessie, and poezio is packaged for Fedora but not for any
> Debian distribution.

Just to confirm, we do not plan to issue a DSA for the above.

Regards,
Salvatore