376348 – CVE 2017-5593: User Impersonation Vulnerability in Jabber protocol

Bug 376348 - CVE 2017-5593: User Impersonation Vulnerability in Jabber protocol

Summary: CVE 2017-5593: User Impersonation Vulnerability in Jabber protocol

Status:	RESOLVED FIXED

Alias:	None

Product:	kopete
Classification:	Unmaintained
Component:	Jabber Plugin (show other bugs)
Version:	unspecified
Platform:	Other All

Importance:	NOR critical
Target Milestone:	---
Assignee:	Kopete Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-02-11 12:21 UTC by Pali Rohár
Modified:	2017-02-11 12:37 UTC (History)
CC List:	0 users

See Also:
Latest Commit:	https://commits.kde.org/kopete/6243764c4fd0985320d4a10b48051cc418d584ad
Version Fixed In:	16.12.3
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Pali Rohár 2017-02-11 12:21:58 UTC

Kopete since 16.11.80 is vulnerable for CVE 2017-5593 (User Impersonation Vulnerability) as it uses same XMPP library as Psi (libiris).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5593
http://seclists.org/oss-sec/2017/q1/373

Fix for libiris:
https://github.com/psi-im/iris/pull/47/commits/02e976d4426a1319a7af7d26d7aba9d8c6077570

Comment 1 Pali Rohár 2017-02-11 12:28:29 UTC

Kopete versions since 1.10.80, part of KDE 16.11.80 are vulnerable.

Comment 2 Pali Rohár 2017-02-11 12:37:01 UTC

Git commit 6243764c4fd0985320d4a10b48051cc418d584ad by Pali Rohár.
Committed on 11/02/2017 at 12:24.
Pushed by pali into branch 'Applications/16.12'.

Fix CVE 2017-5593 (User Impersonation Vulnerability) in jabber protocol
FIXED-IN: 16.12.3

A  +52   -0    protocols/jabber/libiris/patches/01_cve_2017-5593.patch
M  +9    -5    protocols/jabber/libiris/src/xmpp/xmpp-im/xmpp_tasks.cpp

https://commits.kde.org/kopete/6243764c4fd0985320d4a10b48051cc418d584ad