libpurple is an Instant Messaging (IM) library developed by the Pidgin project. It is used by a number of IM clients including Pidgin and Adium. libpurple-based clients support the OTR (“Off-the-Record”) protocol either natively or via a plugin. The OTR messaging protocol enables users to communicate securely over any IM network.
If libpurple is compiled with DBUS support and there is a DBUS session daemon running on the system, then all messages passing through libpurple are broadcasted over DBUS. The reason behind this is to allow for third party applications, such as desktop widgets to process these messages (e.g. create an animation when a message arrives). However, among the messages transmitted over DBUS one also finds the plaintext form of OTR conversations. This is a security problem, as the private OTR messages may leak to other (unrelated) processes that are executing under the same user as the libpurple-based application.
$URL contains POC and python script to verify vulnerability
Affected Products:libpurple (versions ≤ 2.10.1), libpurple clients with DBUS support (incl. pidgin versions ≤ 2.10.1), pidgin-otr (versions ≤ 3.2.0)
For now there does not appear to be a patch yet per comment made 17 hours ago, but is on the way.
pidgin-otr upstream has released a new version fixing their issue.
(In reply to comment #1)
> pidgin-otr upstream has released a new version fixing their issue.
Please ignore my previous comment, this is for a different issue. Sorry for the noise.
Looks like nothing's being done upstream about this. I suggest changing status to upstream+.
@ Security: Please consider closing this bug, see https://bugzilla.redhat.com/show_bug.cgi?id=798279#c2
Per the referenced links this is a security enhancement vice a vulnerability. Pidgin uses DBus calls to notify the user of all received messages, but if using the OTR plugin the messages are not truly off the record. However, the messages are only sent and received within the user's DBus session.