Debian Bug report logs - #569506
irssi-plugin-otr: emote leaks information

version graph

Package: irssi-plugin-otr; Maintainer for irssi-plugin-otr is Debian OTR Team <pkg-otr-team@lists.alioth.debian.org>; Source for irssi-plugin-otr is src:irssi-plugin-otr.

Reported by: Micah Anderson <micah@debian.org>

Date: Fri, 12 Feb 2010 00:00:02 UTC

Severity: important

Tags: security

Found in version irssi-plugin-otr/0.3-1

Fixed in version irssi-plugin-otr/1.0.0~alpha2-1~exp0

Done: Antoine Beaupré <anarcat@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, micah@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Spreen <netzwurm@debian.org>:
Bug#569506; Package irssi-plugin-otr. (Fri, 12 Feb 2010 00:00:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Micah Anderson <micah@debian.org>:
New Bug report received and forwarded. Copy sent to micah@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, David Spreen <netzwurm@debian.org>. (Fri, 12 Feb 2010 00:00:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Micah Anderson <micah@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: irssi-plugin-otr: emote leaks information
Date: Thu, 11 Feb 2010 18:58:45 -0500
Package: irssi-plugin-otr
Version: 0.3-1
Severity: important
Tags: security

The irssi otr plugin silently leaks unencrypted *on the record*
information when you use the /me emote functionality of irssi.

If you issue '/me hates leaking' in your client, you will not have any
indication whatsoever that this emote was sent over an unencrypted
communications channel, but it clearly is:

<br><font size="2">(03:48:27 PM) </font><b><font size="3">The
following message received from <a
href="mailto:micah@entodaspartes.org">micah@entodaspartes.org</a> was
<i>not</i> encrypted: [/me hates leaking]</font></b>

That is bad, it should not do that!
micah


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-vserver-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Reply sent to Antoine Beaupré <anarcat@debian.org>:
You have taken responsibility. (Fri, 10 May 2013 16:36:11 GMT) Full text and rfc822 format available.

Notification sent to Micah Anderson <micah@debian.org>:
Bug acknowledged by developer. (Fri, 10 May 2013 16:36:11 GMT) Full text and rfc822 format available.

Message #10 received at 569506-close@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: 569506-close@bugs.debian.org
Subject: Bug#569506: fixed in irssi-plugin-otr 1.0.0~alpha2-1~exp0
Date: Fri, 10 May 2013 16:32:58 +0000
Source: irssi-plugin-otr
Source-Version: 1.0.0~alpha2-1~exp0

We believe that the bug you reported is fixed in the latest version of
irssi-plugin-otr, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 569506@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anarcat@debian.org> (supplier of updated irssi-plugin-otr package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 10 May 2013 09:07:12 -0400
Source: irssi-plugin-otr
Binary: irssi-plugin-otr
Architecture: source amd64
Version: 1.0.0~alpha2-1~exp0
Distribution: experimental
Urgency: low
Maintainer: David Spreen <netzwurm@debian.org>
Changed-By: Antoine Beaupré <anarcat@debian.org>
Description: 
 irssi-plugin-otr - Off-the-Record Messaging Plugin for Irssi
Closes: 499229 569506 576696 695150
Changes: 
 irssi-plugin-otr (1.0.0~alpha2-1~exp0) experimental; urgency=low
 .
   * New upstream release.
   * Remove destdir_support.patch, accepted upstream.
   * Remove python build dependency.
   * Use dh-autoreconf instead of manual bootstrap code.
   * Add missing dependencies.
   * Upload to experimental (Closes: #695150, #569506, #576696, #499229).
   * Add myself to maintainers.
   * Change dependency on libotr5 so we don't have to wait for the
     experimental release to build. We still upload to experimental to
     avoid shipping a broken version in sid. Once libotr5-4.0.0-2.1 hits
     unstable, this can be uploaded to unstable too.
Checksums-Sha1: 
 de0f970d54d4a62ea787672d307ba701033466c7 1999 irssi-plugin-otr_1.0.0~alpha2-1~exp0.dsc
 7cbc225a7bdd77da7e84772a4de9ff6d8ef3bb54 38603 irssi-plugin-otr_1.0.0~alpha2.orig.tar.gz
 108eb26cbe4e4d626ba632cffdbbe4520946bd51 3427 irssi-plugin-otr_1.0.0~alpha2-1~exp0.debian.tar.gz
 58144092451892598955d684587e8e2264a7b4aa 26206 irssi-plugin-otr_1.0.0~alpha2-1~exp0_amd64.deb
Checksums-Sha256: 
 2393ddae53a66b8f60087fd8a32140175b16f559720cd8d0df77d24f6b7b1ac6 1999 irssi-plugin-otr_1.0.0~alpha2-1~exp0.dsc
 cbfdd374100b3910076fe1b37b43fd357b442abccea3c7800b7b02a30fa06721 38603 irssi-plugin-otr_1.0.0~alpha2.orig.tar.gz
 f046e01b091901879d18604bab4f66e0969a385951d5f0981acb0a8c0b540d32 3427 irssi-plugin-otr_1.0.0~alpha2-1~exp0.debian.tar.gz
 d270f24a8395a42d8fe3e1ad9a5599819c8ea0a17ea36d0c0e8432d85500eba2 26206 irssi-plugin-otr_1.0.0~alpha2-1~exp0_amd64.deb
Files: 
 bee067ea6815310fc3093530274c2f34 1999 net optional irssi-plugin-otr_1.0.0~alpha2-1~exp0.dsc
 37f6977caefeadadc6e1409676d63311 38603 net optional irssi-plugin-otr_1.0.0~alpha2.orig.tar.gz
 9af9b2ca55aaf763a4f5cdbe69a6e24b 3427 net optional irssi-plugin-otr_1.0.0~alpha2-1~exp0.debian.tar.gz
 7b1a7651de52c901e8d297fe3781a052 26206 net optional irssi-plugin-otr_1.0.0~alpha2-1~exp0_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRjR0TAAoJEHkhUlJ7dZIeSO0QAL9GxaWBWJDRIC9QpA2qLL4y
yAQM5InMd83Y/OvKd9SLp/ojX/4PVZpkcTaUSIpHovszV+bXP8lhNeIWeXco0rwa
RLuANmKvYRvuMPL+opwl6Rl4dcZaNfvTOb7URztFhXYwzHA8AebR+3vbiB7ROE6w
DkZcOkQv1pdL6yuTlVgsYPUOE+CoK0rGsD2GAlMb2Fa5rY1dxczk0fsDZV4Fcq4E
/iSHnNYHqzwEhsTuRV+LVk00mW/NizmQCfBhA5qSk8sP5wjjWJJ7YH/pTTCWYPBp
qIRKIqxYdyj542azzm/E66hcCr7HDm876LqZUh85q/gQfPdIW9VPpXURF1DYY7l4
o86QtylF7wzcCDnsKIAo85u35B/ZygSrMbwz53oRnR5V8CpoidJVRV364Cki/mIe
6yLd+bY6x0dIHnCqq1cEtymNx2ZdSlcEWs5p1X00b1gq7J+j74gIz7+uiD2i9gt/
jrVEk/1VNT+EEEwgtubhmRZobKMhKYPsEC3ihWt5l21Y7qifOGVpP7h8hOAt8ORX
3uq1/Q+I/bx4W5uZ/iQqsE9kEmiXzb9VU7IeAiw8elF8LZMf8nfvc+B9ndUaGL0G
IfPjPKTYzzXSJGHj2MFayE42ROz1cvUVX+W2SkVOpEVnsqqItpD5uLu6NsWYZsAv
If6GjTIic1o8ypVW3pKw
=y/Qj
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, David Spreen <netzwurm@debian.org>:
Bug#569506; Package irssi-plugin-otr. (Sat, 11 May 2013 02:45:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. Copy sent to David Spreen <netzwurm@debian.org>. (Sat, 11 May 2013 02:45:07 GMT) Full text and rfc822 format available.

Message #15 received at 569506@bugs.debian.org (full text, mbox):

From: Antoine Beaupré <anarcat@debian.org>
To: 505269@bugs.debian.org
Cc: 569506@bugs.debian.org, 576696@bugs.debian.org
Subject: is this still happening in the 1.0 series?
Date: Fri, 10 May 2013 22:42:10 -0400
[Message part 1 (text/plain, inline)]
Control: tag 505269 +moreinfo

Hi,

Whoa, this is an old bug! Yet there hasn't been many changes to the
package in the last years... until today! I have uploaded a shiny new
alpha release to unstable that is way better than the one in squeeze or
jessie, so give it a try and let me know if this bug is still there!

I have closed a few issues that I know are fixed (#569506, #576696), but
the "unrelated window bug" (#505269) I have never seen so I am not sure
I can close it.

Please let me know if you can reproduce.

A.
-- 
We should act only in such away that if everyone 
else acted as we do, we would accept the results.
                        - Kant
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 Oct 2013 07:26:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:57:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.