Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 432404

Summary: misfiled: net-im/jabberd2: Prone to unsolicited XMPP Dialback attacks (CVE-2012-3525)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: minor CC: net-im
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=850872
Whiteboard: B4 [upstream/ebuild]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-08-23 10:44:02 UTC 
From red hat bugzilla at $URL:

A security flaw was found in the XMPP Dialback protocol implementation of jabberd2, OpenSource server implementation of the Jabber protocols (Verify Response and Authorization Response were not checked within XMPP protocol server to server session). A rogue XMPP server could use this flaw to spoof one or more domains, when communicating with vulnerable server implementation, possibly leading into XMPP's Server Dialback protections bypass.

References:
[1] http://xmpp.org/resources/security-notices/server-dialback/

Upstream patch:
[2] https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-27 08:03:06 UTC 
jabberd2 != ejabberd
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-28 20:00:22 UTC 
(In reply to comment #1)
> jabberd2 != ejabberd
'
eix -s jabberd2

You will see: http://jabberd2.xiaoka.com/ . In that link you can see the link to download it: 
https://github.com/downloads/Jabberd2/jabberd2/jabberd-2.2.16.tar.gz

Since the commit code link is: https://github.com/Jabberd2/jabberd2/commit/aabcffae560d5fd00cd1d2ffce5d760353cf0a4d , I'd say this is the same package.

If you don't trust me:
wget https://github.com/downloads/Jabberd2/jabberd2/jabberd-2.2.16.tar.gz
tar xzf jabberd-2.2.16.tar.gz
cd jabberd-2.2.16

find . -name out.c
./s2s/out.c

and check it manually
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-28 21:09:57 UTC 
Of course jabberd2 is jabberd2, but jabberd2 is not ejabberd.
Comment 4 Agostino Sarubbo gentoo-dev 2012-08-29 08:37:26 UTC 
sorry, but if the problem is on jabberd2 and we have jabberd2 in the main tree, why is invalid...and where did you see ejabberd?
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-29 08:51:52 UTC 
(In reply to comment #4)
> sorry, but if the problem is on jabberd2 and we have jabberd2 in the main
> tree, why is invalid...and where did you see ejabberd?

YOU filed it as "net-im/ejabberd : Prone to unsolicited XMPP Dialback attacks (CVE-2012-3525)".
Comment 6 Agostino Sarubbo gentoo-dev 2012-08-29 09:08:09 UTC 
(In reply to comment #5)
> YOU filed it as "net-im/ejabberd : Prone to unsolicited XMPP Dialback
> attacks (CVE-2012-3525)".

is more easy change the summary instead of close the bug as invalid
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-29 09:10:02 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > YOU filed it as "net-im/ejabberd : Prone to unsolicited XMPP Dialback
> > attacks (CVE-2012-3525)".
> 
> is more easy change the summary instead of close the bug as invalid

Not if we already have another bug linked to the CVE. Also, as an actual member of the Security team, I handle bugs the way I think best, thank you very much.