Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 803590 (CVE-2021-37601) - <net-im/prosody-0.11.10: remote information disclosure (CVE-2021-37601)
Summary: <net-im/prosody-0.11.10: remote information disclosure (CVE-2021-37601)
Status: IN_PROGRESS
Alias: CVE-2021-37601
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://seclists.org/oss-sec/2021/q3/...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-23 22:21 UTC by John Helmert III
Modified: 2022-06-02 21:57 UTC (History)
1 user (show)

See Also:
Package list:
net-im/prosody-0.11.10
Runtime testing required: No


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-23 22:21:51 UTC
From URL:

**Description**

It was discovered that Prosody exposes the list of entities (Jabber/XMPP
addresses) affiliated (part of) a Multi-User chat to any user, even if they
are currently not part of the chat or if their affiliation would not let
them become part of the chat, if the `whois` room configuration was set to
`anyone`.

This allows any entity to access the list of admins, members, owners and
banned entities of any federated XMPP group chat of which they know the
address if it is hosted on a vulnerable Prosody server.

**Affected configurations**

All Multi-User chat rooms hosted on an affected Prosody version which are
configured to share the real addresses of occupants with all other
occupants ("non-anonymous").

The impact is particularly high for rooms which have this option set in
combination with "members-only" (to allow only entities which have at least
"members" affiliation to take part in the chat). Unfortunately, this
configuration is a pre-requisite for using the state-of-the-art OMEMO
end-to-end encryption system.

**Mitigating factors**

A client may choose a sufficiently random name for such private group
chats and set it to be not listed publicly. This prevents unaffiliated
attackers from exploiting the vulnerability, as long as the address of the
room is not leaked.

The public jabber chat room search engine has been modified to not return
any members-only rooms for now.


Please apply the patch at URL. Thanks!
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:20:34 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:28:36 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:36:36 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:44:39 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:52:42 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 17:56:38 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:00:37 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 18:08:55 UTC Comment hidden (obsolete)
Comment 9 Larry the Git Cow gentoo-dev 2021-08-07 22:49:13 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e4040b95675b3a76a3732b89a8fc1ac07fa16d6

commit 1e4040b95675b3a76a3732b89a8fc1ac07fa16d6
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-08-07 22:19:49 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-08-07 22:19:49 +0000

    net-im/prosody: bump to version 0.11.10
    
    Bug: https://bugs.gentoo.org/803590
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-im/prosody/Manifest               |   1 +
 net-im/prosody/prosody-0.11.10.ebuild | 102 ++++++++++++++++++++++++++++++++++
 2 files changed, 103 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 23:46:49 UTC
Thanks, please add CC-ARCHES when ready.
Comment 11 Agostino Sarubbo gentoo-dev 2021-08-09 06:40:28 UTC
amd64 stable
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-11 00:03:59 UTC
arm done
Comment 13 Agostino Sarubbo gentoo-dev 2021-08-25 04:23:35 UTC
x86 stable
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-26 21:03:45 UTC
arm64 done

all arches done
Comment 15 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-26 21:04:03 UTC
Please cleanup, thanks!
Comment 16 Larry the Git Cow gentoo-dev 2021-08-26 21:09:03 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=45091c462450c5df4ca2511f6cea2569bb9d2024

commit 45091c462450c5df4ca2511f6cea2569bb9d2024
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2021-08-26 21:08:35 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2021-08-26 21:08:56 +0000

    net-im/prosody: drop old version
    
    Bug: https://bugs.gentoo.org/803590
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-im/prosody/Manifest              |   1 -
 net-im/prosody/prosody-0.11.9.ebuild | 102 -----------------------------------
 2 files changed, 103 deletions(-)
Comment 17 Larry the Git Cow gentoo-dev 2022-01-13 17:11:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=09efbc7cf7ecf85e974891d0f7cae1b264c736da

commit 09efbc7cf7ecf85e974891d0f7cae1b264c736da
Author:     Conrad Kostecki <conikost@gentoo.org>
AuthorDate: 2022-01-13 17:10:35 +0000
Commit:     Conrad Kostecki <conikost@gentoo.org>
CommitDate: 2022-01-13 17:10:40 +0000

    net-im/prosody: drop 0.11.10, 0.11.11
    
    Bug: https://bugs.gentoo.org/803590
    Bug: https://bugs.gentoo.org/831140
    Signed-off-by: Conrad Kostecki <conikost@gentoo.org>

 net-im/prosody/Manifest               |   2 -
 net-im/prosody/prosody-0.11.10.ebuild | 102 ----------------------------------
 net-im/prosody/prosody-0.11.11.ebuild | 102 ----------------------------------
 3 files changed, 206 deletions(-)
Comment 18 NATTkA bot gentoo-dev 2022-01-13 17:16:40 UTC
Unable to check for sanity:

> no match for package: net-im/prosody-0.11.10