|Summary:||net-im/pidgin, x11-plugins/pidgin-otr: libpurple OTR information leakage (CVE-2012-1257)|
|Product:||Gentoo Security||Reporter:||Michael Harrison <n0idx80>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||minor||CC:||hasufell, kensington, net-im|
|Package list:||Runtime testing required:||---|
Description Michael Harrison 2012-02-27 10:36:27 UTC
libpurple is an Instant Messaging (IM) library developed by the Pidgin project. It is used by a number of IM clients including Pidgin and Adium. libpurple-based clients support the OTR (“Off-the-Record”) protocol either natively or via a plugin. The OTR messaging protocol enables users to communicate securely over any IM network. If libpurple is compiled with DBUS support and there is a DBUS session daemon running on the system, then all messages passing through libpurple are broadcasted over DBUS. The reason behind this is to allow for third party applications, such as desktop widgets to process these messages (e.g. create an animation when a message arrives). However, among the messages transmitted over DBUS one also finds the plaintext form of OTR conversations. This is a security problem, as the private OTR messages may leak to other (unrelated) processes that are executing under the same user as the libpurple-based application. $URL contains POC and python script to verify vulnerability Affected Products:libpurple (versions ≤ 2.10.1), libpurple clients with DBUS support (incl. pidgin versions ≤ 2.10.1), pidgin-otr (versions ≤ 3.2.0) Solution: For now there does not appear to be a patch yet per comment made 17 hours ago, but is on the way. Pidgin bug: http://developer.pidgin.im/ticket/14830
Comment 1 Michael Palimaka (kensington) 2012-05-16 12:30:16 UTC
pidgin-otr upstream has released a new version fixing their issue.
Comment 2 Michael Palimaka (kensington) 2012-05-16 12:34:52 UTC
(In reply to comment #1) > pidgin-otr upstream has released a new version fixing their issue. Please ignore my previous comment, this is for a different issue. Sorry for the noise.
Comment 3 Samuel Damashek (RETIRED) 2013-12-22 05:57:24 UTC
Looks like nothing's being done upstream about this. I suggest changing status to upstream+.
Comment 4 Thomas Deutschmann (RETIRED) 2016-11-23 19:36:05 UTC
@ Security: Please consider closing this bug, see https://bugzilla.redhat.com/show_bug.cgi?id=798279#c2
Comment 5 Aaron Bauman (RETIRED) 2016-11-25 05:13:59 UTC
Per the referenced links this is a security enhancement vice a vulnerability. Pidgin uses DBus calls to notify the user of all received messages, but if using the OTR plugin the messages are not truly off the record. However, the messages are only sent and received within the user's DBus session.