Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 432404 - misfiled: net-im/jabberd2: Prone to unsolicited XMPP Dialback attacks (CVE-2012-3525)
Summary: misfiled: net-im/jabberd2: Prone to unsolicited XMPP Dialback attacks (CVE-20...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-23 10:44 UTC by Agostino Sarubbo
Modified: 2012-08-29 09:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-08-23 10:44:02 UTC 
From red hat bugzilla at $URL:

A security flaw was found in the XMPP Dialback protocol implementation of jabberd2, OpenSource server implementation of the Jabber protocols (Verify Response and Authorization Response were not checked within XMPP protocol server to server session). A rogue XMPP server could use this flaw to spoof one or more domains, when communicating with vulnerable server implementation, possibly leading into XMPP's Server Dialback protections bypass.

References:
[1] http://xmpp.org/resources/security-notices/server-dialback/

Upstream patch:
[2] https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-27 08:03:06 UTC 
jabberd2 != ejabberd
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-28 20:00:22 UTC 
(In reply to comment #1)
> jabberd2 != ejabberd
'
eix -s jabberd2

You will see: http://jabberd2.xiaoka.com/ . In that link you can see the link to download it: 
https://github.com/downloads/Jabberd2/jabberd2/jabberd-2.2.16.tar.gz

Since the commit code link is: https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d , I'd say this is the same package.

If you don't trust me:
wget https://github.com/downloads/Jabberd2/jabberd2/jabberd-2.2.16.tar.gz
tar xzf jabberd-2.2.16.tar.gz
cd jabberd-2.2.16

find . -name out.c
./s2s/out.c

and check it manually
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-28 21:09:57 UTC 
Of course jabberd2 is jabberd2, but jabberd2 is not ejabberd.
Comment 4 Agostino Sarubbo gentoo-dev 2012-08-29 08:37:26 UTC 
sorry, but if the problem is on jabberd2 and we have jabberd2 in the main tree, why is invalid...and where did you see ejabberd?
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-29 08:51:52 UTC 
(In reply to comment #4)
> sorry, but if the problem is on jabberd2 and we have jabberd2 in the main
> tree, why is invalid...and where did you see ejabberd?

YOU filed it as "net-im/ejabberd : Prone to unsolicited XMPP Dialback attacks (CVE-2012-3525)".
Comment 6 Agostino Sarubbo gentoo-dev 2012-08-29 09:08:09 UTC 
(In reply to comment #5)
> YOU filed it as "net-im/ejabberd : Prone to unsolicited XMPP Dialback
> attacks (CVE-2012-3525)".

is more easy change the summary instead of close the bug as invalid
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-29 09:10:02 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > YOU filed it as "net-im/ejabberd : Prone to unsolicited XMPP Dialback
> > attacks (CVE-2012-3525)".
> 
> is more easy change the summary instead of close the bug as invalid

Not if we already have another bug linked to the CVE. Also, as an actual member of the Security team, I handle bugs the way I think best, thank you very much.