Debian Bug report logs - #863445
gajim: CVE-2016-10376: possible to remote extract plain-text from encrypted sessions

version graph

Package: gajim; Maintainer for gajim is Debian XMPP Maintainers <pkg-xmpp-devel@lists.alioth.debian.org>; Source for gajim is src:gajim (PTS, buildd, popcon).

Reported by: "W. Martin Borgert" <debacle@debian.org>

Date: Fri, 26 May 2017 22:33:01 UTC

Severity: grave

Tags: patch, security, upstream

Merged with 863698

Found in versions gajim/0.16.6-1, gajim/0.16-1

Fixed in versions gajim/0.16.6-1.1, gajim/0.16.8-1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://dev.gajim.org/gajim/gajim/issues/8378

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>:
Bug#863445; Package gajim. (Fri, 26 May 2017 22:33:04 GMT) (full text, mbox, link).


Acknowledgement sent to "W. Martin Borgert" <debacle@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Tanguy Ortolo <tanguy+debian@ortolo.eu>. (Fri, 26 May 2017 22:33:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "W. Martin Borgert" <debacle@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: possible to remote extract plain-text from encrypted sessions
Date: Sat, 27 May 2017 00:29:34 +0200
Package: gajim
Version: 0.16.6-1
Severity: grave
Tags: patch security upstream

grave, because introduces a security hole allowing unencrypted
access to supposedly encrypted messages

Gajim implements unconditionally XEP-0146, which allows other
clients to access certain user data. This can be abused by
malicious XMPP servers:
https://dev.gajim.org/gajim/gajim/issues/8378

It seems, that XMPP experts already plan to deprecate the
feature:
https://mail.jabber.org/pipermail/standards/2016-August/031335.html

Gajim upstream made the feature an opt-in, which is IMHO good
enough for now:
https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc

We just need to apply the change to the Debian package.



Reply sent to debacle@debian.org (W. Martin Borgert):
You have taken responsibility. (Sat, 27 May 2017 00:21:04 GMT) (full text, mbox, link).


Notification sent to "W. Martin Borgert" <debacle@debian.org>:
Bug acknowledged by developer. (Sat, 27 May 2017 00:21:04 GMT) (full text, mbox, link).


Message #10 received at 863445-close@bugs.debian.org (full text, mbox, reply):

From: debacle@debian.org (W. Martin Borgert)
To: 863445-close@bugs.debian.org
Subject: Bug#863445: fixed in gajim 0.16.6-1.1
Date: Sat, 27 May 2017 00:18:45 +0000
Source: gajim
Source-Version: 0.16.6-1.1

We believe that the bug you reported is fixed in the latest version of
gajim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
W. Martin Borgert <debacle@debian.org> (supplier of updated gajim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 26 May 2017 22:35:49 +0000
Source: gajim
Binary: gajim
Architecture: source all
Version: 0.16.6-1.1
Distribution: unstable
Urgency: high
Maintainer: Tanguy Ortolo <tanguy+debian@ortolo.eu>
Changed-By: W. Martin Borgert <debacle@debian.org>
Description:
 gajim      - GTK+-based Jabber client
Closes: 863445
Changes:
 gajim (0.16.6-1.1) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Apply upstream patch to make XEP-0146 opt-in (Closes: #863445)
Checksums-Sha1:
 4740921e7c7b5f5c8c808fa965b3c89d9d74126d 1958 gajim_0.16.6-1.1.dsc
 447af57572304ce1f9ceac8570550066deaf40cd 9076 gajim_0.16.6-1.1.debian.tar.xz
 3c7401111caac1b51151f4f5b3e1b4491f607105 3037206 gajim_0.16.6-1.1_all.deb
 04c84721c690f3a7d913cd09ac602d6fa11f2dcf 7785 gajim_0.16.6-1.1_amd64.buildinfo
Checksums-Sha256:
 571f693f0d7a11f152f31710660e60db75103cdbf6a1cd8d15f8fc2595607464 1958 gajim_0.16.6-1.1.dsc
 0e7eb11d9200ec35f2785506f366b8ce7ed1e3362c8156d3783c9020badacdaa 9076 gajim_0.16.6-1.1.debian.tar.xz
 b346e1e05cd0f2c6f3629697c01836f35c0a48fc9559dcc3360fef89f00b0db0 3037206 gajim_0.16.6-1.1_all.deb
 c8b48839c196f30a5c019636726bde88d62c207e12f179a76b4ab068fc81b3fd 7785 gajim_0.16.6-1.1_amd64.buildinfo
Files:
 7b9036c685ed827f03b3311d6d2aa04e 1958 net optional gajim_0.16.6-1.1.dsc
 c2a799e96aeab4eed4d537cc2f862aaa 9076 net optional gajim_0.16.6-1.1.debian.tar.xz
 5f42e0935f0083a6373587e64f8d4769 3037206 net optional gajim_0.16.6-1.1_all.deb
 1014ef12143db863ad843ec05e3562e6 7785 net optional gajim_0.16.6-1.1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEftHeo0XZoKEY1KdA4+Chwoa5Y+oFAlkovdwACgkQ4+Chwoa5
Y+rxKA/+M6odrkdap0+i9+X2aEuMqC/QhvgwDECDwfFyO7zAdt2qda9rEykfPGkF
xwekMnkUFWxDDieJJM7bwypXd/6CqViDrInPwC+g4bKR+w4k1nRkKUc5NEQ4gpDD
k3M1QIQwOL3ZfPwXjwShVWr5DhpzhtzUEIGGsxHZJkEETPgHYKe3C9jFIyXOmpSr
5UPLIskv6pGoCBbcDbxKCOUt3qYSipPsO0HXPFxcEGARUXlsThSNa2DuAoYIroOJ
vS45Oy3HKPdI10sB3HihfWNxUXq1/3Y29wBfKKN1+IFjN1aCogNkcQsBtUzMFTTP
grc+QfZhscyw/mnvsl74u+0aKEKDahZPGY2I+hhpqzw++x2iGACbCF0dfl0jLTQW
6d50CxkKhC5S2xUYAHGwW++3GXlxHXebmNCEsyhupNl+xDPQw5r/H+aMIDke9+oR
qHJhJT3HG71RRkyXOMpFzQIyu7GiqpruWhPlP7m2ZK3S6c6G58rU0Z8z3nzElU+n
TcK9NqVL5/e5fyfQqX2DETAFbiiz4Ej1RUvDKCVEsx9LGFE5Hcp/OY3TxkaLKyUZ
vvrjXj++oykC/DqgViHepkxtegeeFo3f2ygHcxYFZpylD/4mxNmq4Mkr4cAagMQy
90gdDmF+wAdc/UIJpzs1WAMqZz4yxqYZAzz14QABUHjxbepIfAA=
=an33
-----END PGP SIGNATURE-----




Marked as found in versions gajim/0.16-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 27 May 2017 05:51:02 GMT) (full text, mbox, link).


Set Bug forwarded-to-address to 'https://dev.gajim.org/gajim/gajim/issues/8378'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 27 May 2017 05:51:04 GMT) (full text, mbox, link).


Changed Bug title to 'gajim: CVE-2016-10376: possible to remote extract plain-text from encrypted sessions' from 'possible to remote extract plain-text from encrypted sessions'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sun, 28 May 2017 04:48:02 GMT) (full text, mbox, link).


Unset Bug forwarded-to-address Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Tue, 30 May 2017 06:57:07 GMT) (full text, mbox, link).


Bug reopened Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Tue, 30 May 2017 06:57:08 GMT) (full text, mbox, link).


No longer marked as fixed in versions gajim/0.16.6-1.1. Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Tue, 30 May 2017 06:57:08 GMT) (full text, mbox, link).


Marked as fixed in versions gajim/0.16.6-1.1. Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Tue, 30 May 2017 06:57:10 GMT) (full text, mbox, link).


Merged 863445 863698 Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Tue, 30 May 2017 06:57:11 GMT) (full text, mbox, link).


Set Bug forwarded-to-address to 'https://dev.gajim.org/gajim/gajim/issues/8378'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 30 May 2017 07:21:07 GMT) (full text, mbox, link).


Marked Bug as done Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Tue, 30 May 2017 07:21:09 GMT) (full text, mbox, link).


Notification sent to "W. Martin Borgert" <debacle@debian.org>:
Bug acknowledged by developer. (Tue, 30 May 2017 07:21:10 GMT) (full text, mbox, link).


Message sent on to "W. Martin Borgert" <debacle@debian.org>:
Bug#863445. (Tue, 30 May 2017 07:21:12 GMT) (full text, mbox, link).


Message #35 received at 863445-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 863445-submitter@bugs.debian.org
Subject: bug 863445 is forwarded to https://dev.gajim.org/gajim/gajim/issues/8378, closing 863445
Date: Tue, 30 May 2017 09:16:11 +0200
forwarded 863445 https://dev.gajim.org/gajim/gajim/issues/8378
close 863445 0.16.6-1.1
thanks




Marked as fixed in versions gajim/0.16.8-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 19 Jun 2017 12:48:14 GMT) (full text, mbox, link).


Message sent on to "W. Martin Borgert" <debacle@debian.org>:
Bug#863445. (Mon, 19 Jun 2017 12:48:24 GMT) (full text, mbox, link).


Message #40 received at 863445-submitter@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: control@bugs.debian.org
Cc: 863445-submitter@bugs.debian.org
Subject: closing 863445
Date: Mon, 19 Jun 2017 14:37:10 +0200
close 863445 0.16.8-1
thanks




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 18 Jul 2017 07:38:10 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:38:19 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.